Djangocon: A sincere tale of Django, developers and security - Erik Romijn

Tags: django, djangocon

(One of the summaries of a talk at the 2015 Djangocon EU conference).

Eric Romijn explains us about security. Computers work differently than humans. Two handy questions:

  • How does it know it? A computer is deterministic. It does what you told it to do.

  • How might someone implement it in software? Which corner cases would be likely to be forgotten? How would the programmer explain the program to a 6 year old?

He showed an example of a 2006 PHP form at his university that, with a correct university-wide username/password combination, would create a user account with the same password on a linux machine. So… a php script wouldn’t normally be able to do that. So there would be something somewhere on the system that could get root access from within the webserver’s process. In the end he found it…

So: relentlessly ask questions. Take things apart and think creatively.

Now on to django. Django, by default, is quite secure. The good thing is that django reduces the number of things you yourself can screw up. For instance, there’s a good login system in place. Once you write your own authentication, you can much more easily screw it up because you’re bound to forget lots of corner cases.

Another security feature that doesn’t actually seem like a security feature: django forms. Django forms have really good security and validation. Quite a lot of vulnerabilities on other websites would have been basically impossible for django forms.

Look at http://www.ponycheckup.com, “Erik’s pony checkup”. And look at django’s documentation at https://docs.djangoproject.com/en/1.8/topics/security/ .

Note that if you think you found a security bug, mail security@djangoproject.com directly. Don’t submit a public bug report.

Some common issues he often finds:

  • Absent or mis-configured https. Proper https? Enable it on your entire site. Redirect all users to https. And enable HSTS, which tells your browser that it should always be https, also for future requests. And set your secure flag on cookies so that they’re only send for https connections. In django look at all the SECURE_* settings.

    And make sure you use the right https ciphers/versions. Check it at https://ssllabs.com/ssltest/ .

  • Happy path only testing. Of course we have tests. We test if some customer page works. Then we add @login_required. The tests still work. If later on, we accidentally remove @login_required, the tests still pass. Ouch.

    So: also test that something fails if you’re not logged in. One mistake can mean you expose all your data.

  • Date-based errors. An important christmas speech of the Dutch queen was “leaked” a day early. Well, leaked… someone guessed the URL of the video based on last year’s name, which included a date…

  • Media uploads. Always dangerous. Ideally, different storage, different web domain. At least do strict checking on filetype and extension.

    If you need access control, use X-Sendfile to send the data with your webserver but still send the request first to django for security checks.

  • Watch out with old django releases. And old versions of dependencies. You probably miss security patches.

    Look at https://requires.io/ for a site that can do these checks automatically for you.

  • Users. Watch out with the users of your websites. Those are the same people that just type in their username/password in the first page they get from google when googling their bank name without checking if it is the correct site…

    https://github.com/dropbox/zxcvbn is a reasonable password checker.

Is security something that is worthwile with the NSA and other security agencies having unlimited budget and no accountability? Yes. You cannot really fight the NSA, but you can protect your website against all the regular attacks. Oh, and don’t forget backups!

Why does it matter? Why would you go through the effort of securing your system? As a developer, you’re responsible for what you build. If, perhaps due to what your boss says regarding priorities, you don’t fix security issues, you still actively decide that you’re going along with it.

Security is irritating to people. If you try to do it right, you will irritate people. Security is invisible right till the moment everything goes wrong.

He closes with a quote by Isaac Asimov: “There’s no way I can single-handedly save the world or, perhaps, even make a perceptible difference - but how ashamed I would be to let a day pass without making one more effort.”

A model railway at the 2015 'ontraxs' exhibition in Utrecht
 
vanrees.org logo

Reinout van Rees

My name is Reinout van Rees and I program in Python, I live in the Netherlands, I cycle recumbent bikes and I have a model railway.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):