Security Best Practices for Django Applications with Gajendra Deshpande - DjangoCon US 2022

Django Testing Security

Django security expert shares best practices for securing Django applications, covering vulnerabilities and testing tools.

Key takeaways
  • Security testing using tools like Mozilla Observatory
  • Identifying common web vulnerabilities (broken access control, insecure deserialization, command injection, SQL injection)
  • OAuth top 10 vulnerabilities for 2021, with 8 of 10 overlapping with Django
  • Insecure deserialization, using trusted input only and validated XML data
  • Access control issues (secure secret key, logging and monitoring)
  • Command injection using homomorphic encryption (expensive in terms of computation)
  • Stateful session identifiers to invalidate sessions
  • Server-side request forgery (SSRF), validate URLs when fetching resources
  • Weak authentication, enforcement of SSL, security misconfiguration, sensitive data processing and transmission
  • Monitoring for potential exploits (Shodan and Django Hunter tools)
  • Limitations on OWASP SAM model and Mozilla HTTP Observatory statistics

More talks

Zero to Hero: How we make great Golang engineers at Luno - Andrew Wormald

Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET

Monitoring Using ELK & Structured Logging (DeveloperWeek Global 2020)

Microsoft Security Copilot - your new best friend! - George Coldham. NDC Sydney 2024

Facundo Giuliani - Pushing Boundaries to the Edge - React Miami 2024

Unleashing Native Imaging Power in GraalVM • Alina Yurenko & Bert Jan Schrijver

SAINTCON 2024 - Day 2 - Livestream

"If only I owned my data: Architecting decentralized data" by Katharine Jarmul, Nimisha Asthagiri