Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

ISO 27k talk for django meet up

Presented at London Django Meet up Feb 2021

  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

ISO 27k talk for django meet up

  1. 1. How we made our Django app more secure and ISO 27001 compliant By Viren Rajput, co-founder @Earthmiles
  2. 2. Hacking the university webmaster portal for fun Indian Express Screenshot -
  3. 3. Found vulnerability in Examination portals exposing answers to MCQs
  4. 4. ISO 27001 Framework ● Sets out the specification for an information security management system (ISMS) ● Published by International Organization of Standardization (ISO) ● Best-practice approach for information security ● “establish, implement, operate, monitor, review, maintain and continually improve”
  5. 5. How the standard works ● Systematically examine risks ● Design & implement a suite of information security controls ● Risk treatment to address risks that are deemed unacceptable ● Adopt an overarching management process ● Ensure that security controls continue to meet the information security needs of the organization on ongoing basis
  6. 6. Risk Method
  7. 7. Controls A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security - 6 controls that are applied before, during, or after employment A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Information security aspects of business continuity management (4 controls) A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
  8. 8. Fixing Authentication - django-defender, blocks from brute forcing login attempts - Rate limit based on IP/Username - Reverse proxy support - Ability to store login attempts to the database - Admin pages to view block user names, IP, attempts - Support for custom auth method - Monitoring in place to raise alerts for suspicious activity by hooking into django-defender signals - Considered - Optional 2FA
  9. 9. Client Rate Limiting - Throttle requests limit using django-rest-framework - Different rates for user/anonymous - Scope based throttles (analytics, uploads, profile, etc.)
  10. 10. Keeping secrets safe - DynaConf - Easy and Powerful Settings Configuration for Python - Strict separation of settings from code - Store parameters in multiple file formats (.toml, .json, .yaml, .ini and .py). - Sensitive secrets like tokens and passwords can be stored in safe places like .secrets file or vault server. - Simple feature flag system. - Strong support for Django & Flask
  11. 11. Protecting the admin panel - Change the default url from /admin to something random - Set up a dedicated admin panel server - Set up a dedicated OpenVPN server with a static IP - Allotted user accounts on the OpenVPN server - Used django-admin-ip-whitelist to restrict the staff admin panel server access to the OpenVPN static IP
  12. 12. Best practices - Use a secure Django version - Force HTTPS with permanent redirects - Use secure cookies, SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE - Handling uploads carefully (validate files they are what you expect) - Avoiding raw queries and custom SQL - Review dependencies, (tools like Snyk) - Don’t leave your cache, DB, etc. exposed on a public facing machine
  13. 13. ISO 27001 Benefits
  14. 14. Thank you! Twitter @Bkvirendra Github @Bkvirendra