django Mass Assignment - Security Part 10 NB: This is the tenth post in a series of posts on web application security. “Mass assignment”? That’s a Rails thing! GitHub was the recent, high-profile target of an “attack”—it wasn’
django-nyc-security Intermission I sincerely hope to start the Advanced section of the security series tomorrow or Wednesday, but it’s been a full and hectic weekend and I didn’t have as much time to
django Stay Up to Date - Basic Security Part 9 NB: This is the ninth post in a series of posts on web application security. Rounding out this week is the last, but perhaps most important part of the basic security series: staying
click-jacking Click-Jacking and a little Phishing - Basic Security Part 8 NB: This is the eighth post in a series of posts on web application security. Click-jacking is a process of “stealing” clicks on your site, redirecting them to other places, either by using
django Server Configuration - Basic Security Part 7 NB: This is the seventh post in a series of posts on web application security. Configuring a server correctly is both 1) hard and 2) critical. You’ve probably spent a bunch of
django Session Fixation and Hijacking - Basic Security Part 6 NB: This is the sixth post in a series of posts on web application security. Don’t put session IDs in the URL. Django explicitly does not support this because it’s just
access control Access Control - Basic Security Part 5 NB: This is the fifth post in a series of posts on web application security. Proper access control is an absolutely key part of web app security and is easily overlooked—possibly because
django Injections, SQL and otherwise - Basic Security Part 4 NB: This is the fourth post in a series of posts on web application security. SQL Injection SQL injection is a vector that lets a user insert their own SQL into a statement
csrf CSRF: Cross-Site Request Forgeries - Basic Security Part 3 NB: This is the third post in a series of posts on web application security. The quintessential example of a CSRF (sometimes pronounced “sea-surf”) is a bank that naively does transfers over a
django XSS: Cross-Site Scripting - Basic Security Part 2 NB: This is the second post in a series of posts on web application security. XSS covers a number of various attacks, but the common thread is that someone gets to execute code
django Password Storage - Basic Security Part 1 NB-1: This is the first post in a series of posts on web application security. NB-2: Fred wrote a great post on password storage. You should read it. I’m assuming we’re
django Best Basic Security Practices (Especially with Django) Or: Locking Your Doors This goes along with a talk I gave at Django-NYC in July 2012, but is meant to stand on its own. It is the first in a series of