O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

ISO 27k talk for django meet up

Presented at London Django Meet up Feb 2021

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

ISO 27k talk for django meet up

  1. 1. How we made our Django app more secure and ISO 27001 compliant By Viren Rajput, co-founder @Earthmiles
  2. 2. Hacking the university webmaster portal for fun Indian Express Screenshot -
  3. 3. Found vulnerability in Examination portals exposing answers to MCQs
  4. 4. ISO 27001 Framework ● Sets out the specification for an information security management system (ISMS) ● Published by International Organization of Standardization (ISO) ● Best-practice approach for information security ● “establish, implement, operate, monitor, review, maintain and continually improve”
  5. 5. How the standard works ● Systematically examine risks ● Design & implement a suite of information security controls ● Risk treatment to address risks that are deemed unacceptable ● Adopt an overarching management process ● Ensure that security controls continue to meet the information security needs of the organization on ongoing basis
  6. 6. Risk Method
  7. 7. Controls A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security - 6 controls that are applied before, during, or after employment A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Information security aspects of business continuity management (4 controls) A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
  8. 8. Fixing Authentication - django-defender, blocks from brute forcing login attempts - Rate limit based on IP/Username - Reverse proxy support - Ability to store login attempts to the database - Admin pages to view block user names, IP, attempts - Support for custom auth method - Monitoring in place to raise alerts for suspicious activity by hooking into django-defender signals - Considered - Optional 2FA
  9. 9. Client Rate Limiting - Throttle requests limit using django-rest-framework - Different rates for user/anonymous - Scope based throttles (analytics, uploads, profile, etc.)
  10. 10. Keeping secrets safe - DynaConf - Easy and Powerful Settings Configuration for Python - Strict separation of settings from code - Store parameters in multiple file formats (.toml, .json, .yaml, .ini and .py). - Sensitive secrets like tokens and passwords can be stored in safe places like .secrets file or vault server. - Simple feature flag system. - Strong support for Django & Flask
  11. 11. Protecting the admin panel - Change the default url from /admin to something random - Set up a dedicated admin panel server - Set up a dedicated OpenVPN server with a static IP - Allotted user accounts on the OpenVPN server - Used django-admin-ip-whitelist to restrict the staff admin panel server access to the OpenVPN static IP
  12. 12. Best practices - Use a secure Django version - Force HTTPS with permanent redirects - Use secure cookies, SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE - Handling uploads carefully (validate files they are what you expect) - Avoiding raw queries and custom SQL - Review dependencies, (tools like Snyk) - Don’t leave your cache, DB, etc. exposed on a public facing machine
  13. 13. ISO 27001 Benefits
  14. 14. Thank you! Twitter @Bkvirendra Github @Bkvirendra

×