An Introduction to Secure Web Development with Django (and Python!)

James Bennett

Sunday 9 a.m.–12:30 p.m.
Audience level: Not Applicable

Description

You can't afford to have security be an optional or "nice-to-have" feature in your applications. Luckily, Django has your back: this workshop will introduce you to thinking about security, cover some common (and some less-common) security concerns, and walk you through, in detail, how Django and the broader Django and Python ecosystems can help protect you and your users from them.

Abstract

  1. How to talk about security (and how not to)

  2. Getting up again after you fall: a brief history of Django and security

  3. There's no such thing as "secure"; you're always making tradeoffs and trying to stay a step or two ahead

  4. Integrating thoughtful, informed security decisions as a necessary part of the development process

  5. What sorts of things are we worried about?

  6. Basic categories of security issues

    • Unauthorized data accesss

    • Arbitrary code execution (against you or your users)

    • Denial-of-service

  7. Rogues' gallery: a tour of the OWASP Top Ten list

    • Injection attacks

    • Authentication and session management

    • Cross-site scripting

    • Direct object references

    • Misconfiguration

    • Sensitive data exposure

    • Function-level access control

    • Cross-site request forgery

    • Components with known vulnerabilities

    • Unvalidated redirects and forwards

  8. What can we do about it?

    • The OWASP Top Ten, reprise: how to mitigate or avoid all ten in Django-based applications, including:

    • Best practices for use of the ORM

    • Approaches to authentication

    • Django's built-in XSS protection

    • Using Django's URL routing to avoid exposing object IDs

    • Using the system check framework to identify issues before you go live

    • How to safely store, or avoid storing, sensitive data

    • Locking down your views with Django's authentication and permission system

    • Using Django's anti-CSRF framework

    • How to stay on top of your dependencies so they don't let you down: requires.io, hashed requirements and other tools

    • Tools for avoiding and mitigating unsafe redirects in Django applications

  9. Intermediate issues

  10. The OWASP Top Ten is a good start, but...

  11. The expanded rogues' gallery:

    • SSL everywhere: using HTTP Strict Transport Security

    • Keeping unwanted hands out of the cookie jar

    • Don't get framed: how clickjacking works and how to stop it

    • This smells bad: how to give content-sniffing attacks a stuffy nose

    • How did that get there? Using Content Security Policy to help browsers help you

    • Further topics in cross-domain data access (how to lock down Flash and Silverlight)

  12. Security as a process

    • Developing a security policy for your code (or company)

    • Responsible handling and disclosure

    • Thoughtfully packaging and distributing your code

  13. Advanced topics

  14. A spotter's guide to common patterns for DoS vectors

  15. Cryptography and its discontents

    • Using Django's crypto utilities in moderation
  16. Reflections on trusting trust: how not to go overboard

  17. Conclusion + Q&A


Buy your conference and tutorial tickets here! Tutorials are $150 per session.