kicking security Goals


By: Colin Rolfe

@colin_rolfe

Warnings and disclaimers


  • I am not an expert/lawyer
  • None of this is legal advice
  • This guide is by no means comprehensive
  • We're not going to talk about BREACH or the NSA


Django does a good job!


  • Stacks up well against the OWASP top 10 
  • http://pyvideo.org/video/2203/building-secure-web-apps-python-vs-the-owasp-top
  • Security releases are a fact of life, but fewer than others
  • It's usually tough, but still possible to shoot yourself in the foot 

Pentesting: Rails vs Django



http://levigross.github.io/penetration-testing-django-and-rails/

What do you mean there's no SSL?!





What do I need to do?


  • Get an SSL certificate (preferably a wildcard)
  • Install it
  • Configure your web server to use it
  • Do yourself a favour and use site-wide SSL

ssl enaged, time for lunch!




Not quite yet.

Watch this video



Insecure Cookies


  • User1 has no guarantee they are talking to your site
  • An attacker can intercept and modify requests
  • Even with SSL, the initial handshake is over HTTP by default


Strict transport security


  • Header that instructs browser to only request site over HTTPS
  • Eliminates the problem just described
  • add_header Strict-Transport-Security max-age=31536000;
  • https://github.com/carljm/django-secure/

Enable clickjacking protection



#Uncomment the next line for simple clickjacking protection
'DJANGO.MIDDLEWARE.CLICKJACKING.XFRAMEOPTIONSMIDDLEWARE'   

Prevents your site from being served in an iframe on some other site.

Turned on by default in Django 1.6?

Set content-security-policy


  • Header that prevents XSS by whitelisting domains that can serve 3rd party JavaScript
  • Relies on the browser to enforce it 
  • Requires a bit of tinkering to get right
  • https://github.com/mozilla/django-csp

be careful with that api!


  • Finally!  A place you can shoot yourself in the foot!
  • Make damn sure you are cleaning any user submitted data
  • Sounds simple, but easy to forget
  • Writing your own API code is probably a very bad idea...
  • ...unless you're Curtis :)

How can I test some of these changes?


  • SSL-specific: https://www.ssllabs.com/ssltest/analyze.html
  • Django-specific: http://ponycheckup.com

deck

By Colin Rolfe

Made with Slides.com

deck

  • 967

More from Colin Rolfe