In the last few years, I’ve aimed to make security more accessible, understandable, and less scary for ordinary developers. I mostly focus on Python/Django and iOS. In 2012, I spoke about Django security at Djangocon EU. I wrote Erik’s Pony Checkup to help developers get quick and free basic checkups. Lately, I’ve been writing about security, ranging from the intricacies of cookie domains to a basic guide on when and how to deploy HTTPS. The latter made #1 on HackerNews some time ago, and I hope it helped many to improve their configuration.
Today, it’s time for the next step: I am launching Secure Django, where I’ll be offering in-depth security reviews for your Django projects. You’ll get your projects reviewed with specific Django expertise, with results that are understandable and actionable for any developer. And all with clear advance pricing.
Erik’s Pony Checkup will remain as it is, free and open source.
Perhaps it seems an odd choice to focus on security reviews for Django projects. Isn’t Django secure by default? Doesn’t Django protect developers from XSS, CSRF, SQL injection, clickjacking, session fixation, and many more issues? Yes, Django offers well designed protection methods for these issues. And, Django definitely makes it easy to write secure web applications.
However, Django can’t foresee everything. Are you vulnerable to the heartbleed bug? Are you enforcing SSL correctly? Did you set the proper flags for your cookies? Did you remember to disable weak ciphers? How are you managing your secret keys? Are you sure you authorise users correctly? Are you generating a bit of HTML in your view, and using
mark_safe to make sure it does not get auto-escaped? In general, that’s a good approach, but you could also be introducing an XSS vulnerability. Is the Django ORM not powerful enough for a query, and you use
raw() to write your own SQL? Not at all uncommon, but you could be introducing a SQL injection.
In other words, Django provides an excellent start, preventing many of the basic mistakes in security. But with the requirements of modern web applications, the fact that you’re using Django does not guarantee safety by itself. Would you like to know more about the security of your project? Set up your Secure Django review today. See an example first? Have a look at the sample report.
Needless to say, the Secure Django site itself meets all recommendations I might make. Do you think you found a vulnerability anyways? See the responsible disclosure policy.