A sincere tale of Django, developers and security ================================================= Erik Romijn @erikpub - used to think security was about knowing everything, and I didn't know everything - now - more about the way you think about things Things I don't know about - computers work differently - they don't know what you meant - so ask: - how does it know that? - how might someone implement this in software? How would you explain to a toddler? Example - oege - shared linux server for students - register.php - enter uni username and password - register and email your details - cat register.php - permission denied - but write php script to read it, and as php run by webserver - it works - script - runs sudo /path/to/script.sh user pass - write php script to call script, create other accounts, change root password, etc Relentlessly question, take things apart and think creatively Django ------ - "reassuringly secure" - password storage, auth, CSRF, DoS ... - Django reduces the number of things you can screw up - eg auth system - good docs - Security in Django - Read "Two Scoops of Django" - good security section Can introduce remote code execution - SESSION_ENGINE - signed_cookies - SERIALISER - PickleSerializer - SECRET_KEY = 'not really secret' But the above aren't default, and settings doc has warnings Django forms are also good - apple app id allowed dropbox credentials to be lost https://www.ponycheckup.com/ - does automatic checks If you think you've found something, email security@djangoproject.com Common Issues ------------- 1 - absent or misconfigured https ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - https - essential for sensitive data - eg login details - plain http - no integrity - could have stuff added, or replaced - proper https - enable for entire site - redirect all users to https, enable HSTS - set the secure flag on cookies - all in settings SECURE_* - set the right cyphers, versions etc - https://ssllabs.com/ssltest/ - Book - Bulletproof SSL and TLS - practical, crypto concepts, vulnerabilities 2 - Happy path only testing ~~~~~~~~~~~~~~~~~~~~~~~~~~~ - eg View with login_required - abstract to mixin - test, does login, then gets page - forget mixin, the test still passes - you need to test that anonymous users can't view, that users w/o permissions can't view ... 3 - Media Uploads ~~~~~~~~~~~~~~~~~ - see one file, then guess path of another file - SECURE_SSL_REDIRECT - doesn't help - properly - ideally different storage, different domain - at least do strict check on filetype, extension, mime type - access control - serve through Django (slow) OR use x-sendfile to tell webserver to serve file 4 - Outdated Software ~~~~~~~~~~~~~~~~~~~~~ - django 1.3 has 20 missing patches, 1.5 has 7, 1.6 has 1 - requires.io - extracts all dependencies, versions, tells you about security issues! Human Factors ------------- - ING Bank login "My ING" - someone searches for "My" - hits first link, types in username and password without seeing what site is - people will give password to someone claiming to be from IT - password strength library - https://github.com/dropbox/zxcvbn - two factor auth (2FA) Risks ----- - What about the NSA? - Yes, the NSA can hack you - but you can be secure enough about to stop hackers - backup and recovery is also important - how long can you reasonably be offline for? Why it matters -------------- - "it's been fine for the last year" - sometimes companies phone up and ask for passwords - they haven't thought it through - many people find security really annoying ... until something goes wrong - quote "There is now way I can single handlely save the world ... ashamed to let one day go by without making an effort" Isaac Asimov