• Home

  • Schedule

  • Speakers

  • Registration

  • Call For Proposals

  • Our Sponsors

  • Financial Aid

  • FAQ

  • Blog

  • Contact Us

  •  

    PyBay Connect

    Subscribe to PyBay Updates

    • Meetup_square
    • White Twitter Icon
    Screen Shot 2016-07-15 at 8.37.57 PM
    Screen Shot 2016-07-15 at 8.37.57 PM
    Bloomberg
    Bloomberg
    HERE_Logo_RGB (1)
    HERE_Logo_RGB (1)
    new-twitter-logo-150x150_edited
    new-twitter-logo-150x150_edited
    Yelp
    Yelp
    sentry
    sentry
    Google
    Google
    Google
    Twist Bioscience
    Twist Bioscience
    Screen Shot 2016-08-05 at 3.09.22 PM_edited
    Screen Shot 2016-08-05 at 3.09.22 PM_edited
    cloudera_logo
    cloudera_logo
    sauce-labs200x200
    sauce-labs200x200
    hired-logo
    hired-logo
    PSF
    PSF
    shippo
    shippo
    twilio
    twilio
    Minted
    Minted
    Paypal-logo-20141
    Paypal-logo-20141
    anaconda-logo
    anaconda-logo
    microsoft-logo
    microsoft-logo
    eventbrite
    eventbrite
    Show More
    Sponsors
    TOP

    Philip James

    Bio

    Philip is a Senior Software Engineer at Eventbrite. In his spare time, he writes novels, makes twitter bots, and gives technical talks. He used to run a webcomic, but there's just no money in it, you know? Philip is a refugee from the video games industry, and wishes anyone still there the best of luck. Philip has spoken at conferences about Python, Django, Node.js, and Linux. Philip believes in the web.

    Safe-ish By Default: The Django Security Model and How to Make it Better

    Security, Intermediate

    ​

    Description 

    Come join us by the fire as we have Security Story Time with our friends, Frog and Toad. With them, you'll learn about all the things Django does to protect users and developers out of the box. We'll look at simplified code samples from the Django codebase to see what's happening under the hood, and cover how to make the Django security model even stronger in your application

    ​

    Abstract

    Introduction. Philip James, how long I’ve worked with Python and Django, background at EB
     

    Introduction to the story, and the characters. Safe-ish: Talk about Django’s Security Model and how it tries to provide sane defaults for developers


    Run-through of the parts of the django security model:


    * XSS (brief definition). How do you turn it off? Mark Safe, | n, safe
    * CSRF (brief definition). Django has middleware that checks POST requests for a token. Token is stored in cookie, also. Side-effect: harder to JS. Also, only an issue if you’re already owned, so maybe not an issue?. How to get around it? csrf_exempt
    * SQLi (brief definition). Django’s ORM makes clean sql, (even when given bad data?). How? How to get around it: extra()/RawSQL()
    * Clickjacking protection (brief definition). Django has middleware that sets headers browsers are supposed to respect. How to get around it: xframe_options_exempt, xframe_options_deny, xframe_options_sameorigin
    * HTTPS. This one is less "out of the box" than the others, so won’t be talked about here.
    * Host Header Validation (brief definition). Django verifies against allowed hosts in settings. How? get_host()
    * Session security. What are django sessions?. Cookie-based by design. How can we make this better?
    * Overall: Vigilance. Be aware of uses of this within your product
    * HTTPS: Use it!. Set the correct settings. SECURE_SSL_REDIRECT: How does it work?

    Other things

    ​

    Aug 21 1:15p - 2:05p, Robertson 3
    • Meetup_square
    • Black Facebook Icon
    • Black Twitter Icon