Security Best Practices for Django Applications with Gajendra Deshpande - DjangoCon US 2022

Django Testing Security

Django security expert shares best practices for securing Django applications, covering vulnerabilities and testing tools.

Key takeaways
  • Security testing using tools like Mozilla Observatory
  • Identifying common web vulnerabilities (broken access control, insecure deserialization, command injection, SQL injection)
  • OAuth top 10 vulnerabilities for 2021, with 8 of 10 overlapping with Django
  • Insecure deserialization, using trusted input only and validated XML data
  • Access control issues (secure secret key, logging and monitoring)
  • Command injection using homomorphic encryption (expensive in terms of computation)
  • Stateful session identifiers to invalidate sessions
  • Server-side request forgery (SSRF), validate URLs when fetching resources
  • Weak authentication, enforcement of SSL, security misconfiguration, sensitive data processing and transmission
  • Monitoring for potential exploits (Shodan and Django Hunter tools)
  • Limitations on OWASP SAM model and Mozilla HTTP Observatory statistics

More talks

DjangoCon Europe 2023 | Caching everywhere

DjangoCon Europe 2023 | Beyond faceted search

A Guided Approach to Learning RxJS with BrianLove | Roadmap to Learning Angular E7 | ng-conf

Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Dominick Baier

DjangoCon Europe 2024 | Blogging with Django: get started with Wagtail

The Java Agent: Modifying Bytecode at Runtime to Protect Against Log4J • Joe Beeton • GOTO 2022

The Young Generation in Tech - How Are They Embracing AI and What Do They Value?

ElixirConf 2023 - Tim Gremore - Replacing React: How Liveview solved our performance problems