ISO 27k talk for django meet up
•Descargar como PPTX, PDF•
0 recomendaciones•66 vistas
The document discusses steps taken to make a Django app more secure and compliant with the ISO 27001 standard for information security. It provides an overview of the ISO 27001 framework and describes controls in various areas. It then details changes made like adding rate limiting, securing secrets and authentication, restricting admin access, and following best practices around HTTPS, cookies, uploads and dependencies. The benefits of ISO 27001 compliance are also mentioned.
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a ISO 27k talk for django meet up
Similar a ISO 27k talk for django meet up (20)
Último
Último (20)
ISO 27k talk for django meet up
- 1. How we made our Django app more secure and ISO 27001 compliant By Viren Rajput, co-founder @Earthmiles
- 2. Hacking the university webmaster portal for fun Indian Express Screenshot -
- 3. Found vulnerability in Examination portals exposing answers to MCQs
- 4. ISO 27001 Framework ● Sets out the specification for an information security management system (ISMS) ● Published by International Organization of Standardization (ISO) ● Best-practice approach for information security ● “establish, implement, operate, monitor, review, maintain and continually improve”
- 5. How the standard works ● Systematically examine risks ● Design & implement a suite of information security controls ● Risk treatment to address risks that are deemed unacceptable ● Adopt an overarching management process ● Ensure that security controls continue to meet the information security needs of the organization on ongoing basis
- 6. Risk Method
- 7. Controls A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security - 6 controls that are applied before, during, or after employment A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Information security aspects of business continuity management (4 controls) A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
- 9. Fixing Authentication - django-defender, blocks from brute forcing login attempts - Rate limit based on IP/Username - Reverse proxy support - Ability to store login attempts to the database - Admin pages to view block user names, IP, attempts - Support for custom auth method - Monitoring in place to raise alerts for suspicious activity by hooking into django-defender signals - Considered - Optional 2FA
- 10. Client Rate Limiting - Throttle requests limit using django-rest-framework - Different rates for user/anonymous - Scope based throttles (analytics, uploads, profile, etc.)
- 11. Keeping secrets safe - DynaConf - Easy and Powerful Settings Configuration for Python - Strict separation of settings from code - Store parameters in multiple file formats (.toml, .json, .yaml, .ini and .py). - Sensitive secrets like tokens and passwords can be stored in safe places like .secrets file or vault server. - Simple feature flag system. - Strong support for Django & Flask
- 12. Protecting the admin panel - Change the default url from /admin to something random - Set up a dedicated admin panel server - Set up a dedicated OpenVPN server with a static IP - Allotted user accounts on the OpenVPN server - Used django-admin-ip-whitelist to restrict the staff admin panel server access to the OpenVPN static IP
- 13. Best practices - Use a secure Django version - Force HTTPS with permanent redirects - Use secure cookies, SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE - Handling uploads carefully (validate files they are what you expect) - Avoiding raw queries and custom SQL - Review dependencies, (tools like Snyk) - Don’t leave your cache, DB, etc. exposed on a public facing machine
- 15. Thank you! Twitter @Bkvirendra Github @Bkvirendra
Notas del editor
- I am Viren, I work on Earthmiles where I essentially do full stack development with Django/React/React Native. Earthmiles provides a comprehensive wellbeing engagement platform designed to motivate health living. It is mobile only for users, with gamified features and a variety of behavioral psychological levers. In this talk, will be talking about some of the stuff we carried out to make our Django web app compliant to the ISO 27001 (framework for information security systems). You need not necessarily need to join it for ISO as I will take you through the core bits needed to understand its importance in order to be more relevant. The generic security bits here should be applicable to most Django apps that are in production. Being a SAAS product and selling to large corporate clients we found ourselves needing to get this certification Django is as secure as any web framework can be. It provides tools and doc guidelines to prevent common mistakes causing security problems (csrf, xss, etc.) However, a tool in itself cannot be "secure". The whole platform security depends on the proper use of the tools you choose, and thus is more a matter of developer skills. No matter the size of your company or what industry you work in, gaining ISO 27001 certification can be a huge win. However, it is a challenging task so it’s important to leverage other stakeholders and resources during a compliance project.
- To give you an idea of where i am coming, I am in no way a security expert but have had a fair share of fun hacking on systems mostly to test my skills. While at university i managed to get into their university servers with a sql injection. This is a screenshot from the local newspaper that covered the story about a kid hacking into systems.
- This exploit was crucial because the portal was being utilised for online semester exams. And it could be exploited using just chrome and the network inspector, deeply nested JSON payload had the answers. I sent them a video evidence of the bug to get their attention. These are just some examples of rather poor information security implementation on the side of these organizations that they could be so easily exploited by a 1st / 2nd year student.
- ISO/IEC 27001:2013 is the international standard that sets out the specification for an information security management system (ISMS). Its best-practice approach helps organisations manage their information security by addressing people and processes as well as technology. ISO 27001 is a framework that helps organisations “establish, implement, operate, monitor, review, maintain and continually improve an ISMS”. The CIA triad (also called CIA triangle) is a guide for measures in information security. Information security influences how information technology is used. The CIA security triangle shows the fundamental goals that must be included in information security measures Confidentiality is the protection of information from unauthorized access. This goal of the CIA triad emphasizes the need for information protection.Confidentiality requires measures to ensure that only authorized people are allowed to access the information. The CIA triad goal of integrity is the condition where information is kept accurate and consistent unless authorized changes are made. It is possible for information to change because of careless access and use, errors in the information system, or unauthorized access and use. The CIA triad goal of availability is the situation where information is available when and where it is rightly needed. The main concern in the CIA triad is that the information should be available when authorized users need to access it. Availability is maintained when all components of the information system are working properly.
- Most organizations have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. ISO/IEC 27001 requires that management: Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts; Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis. Note that ISO/IEC 27001 is designed to cover much more than just IT. An ISMS may be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide upon successful completion of the audit.
- Key key assets are identified using a brain storming session and are grouped where appropriate The risk acceptance criteria be set at a Risk Level of 2, on a range of Risk Level 1 (lowest) to Risk Level 5 (highest). The risk algorithm chosen is R = I + L - 1. The impact of each key asset being compromised will be estimated using the following matrix, defaulting to the highest level across the 3 parameters
- This describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. This is because it provides an essential tool for managing information security risks: a list of security controls (or safeguards) that are to be used to improve the security of information assets. There are 114 controls in 14 groups and 35 control categories: A.5 Information security policies – controls on how the policies are written and reviewed A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking A.7 Human resources security – controls prior to employment, during, and after the employment A.8 Asset management – controls related to inventory of assets and acceptable use; also for information classification and media handling A.9 Access control – controls for the management of access rights of users, systems and applications, and for the management of user responsibilities A.10 Cryptography – controls related to encryption and key management A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, Clear Desk and Clear Screen Policy, etc. A.12 Operational security – lots of controls related to the management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc. A.13 Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc. A.14 System acquisition, development and maintenance – controls defining security requirements, and security in development and support processes A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
- These have become increasingly common and frequent. Just the last week, a new DB with more than 3.2 billion unique pairs of cleartext emails and passwords have just been leaked on a popular public hacking forum, aggregating past leaks from Netflix, LinkedIn and more. This leak is comparable to the Breach Compilation of 2017, in which 1.4 billion credentials were leaked. The current breach, known as “Compilation of Many Breaches” (COMB), contains more than double the unique email and password pairs. The impact to consumers and businesses of this new breach may be unprecedented. Because the majority of people reuse their passwords and usernames across multiple accounts, credential stuffing attacks is the biggest threat.
- Django provides a lot of security features baked in, but the authentication system does not inherently protect against brute force attacks. Scenario: Credential stuffing, the use of lists of known passwords, is a common attack. Applications that do not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid. Something we have faced a couple of times in the past. Attackers using random IPs throughout the world to bombard us with login requests that contained stolen email/passwords We tackled this by implementing a combination of several things to target this risk Django-defender A simple Django reusable app that blocks people from brute forcing login attempts. It makes this as fast as possible, so that we do not slow down the login attempts. How django-defender works When someone tries to login, it will first check to see if they are currently blocked. Checking the username they are trying to use, as well as the IP address. If they are blocked, goto step 5. If not blocked go to step 2 2. They are not blocked, so we check to see if the login was valid. If valid go to step 6. If not valid go to step 3. Login attempt wasn't valid. Add their username and IP address for this attempt to the cache. If this brings them over the limit, add them to the blocked list, and then goto step 5. If not over the limit goto step 4. Login was invalid, but not over the limit. Send them back to the login screen to try again. 5. User is blocked: Send them to the blocked page, telling them they are blocked, and give an estimate on when they will be unblocked. 6. Login is valid. Reset any failed login attempts, and forward to their destination.
- Performance isn’t the only reason to limit API requests, either. API limiting, which is also known as rate limiting, is an essential component of Internet security, as DoS attacks can tank a server with unlimited API requests. Rate limiting also helps make your API scalable. If your API blows up in popularity, there can be unexpected spikes in traffic, causing severe lag time. Throttling is similar to permissions, in that it determines if a request should be authorized. Throttles indicate a temporary state, and are used to control the rate of requests that clients can make to an API. As with permissions, multiple throttles may be used. Your API might have a restrictive throttle for unauthenticated requests, and a less restrictive throttle for authenticated requests. The X-Forwarded-For HTTP header and REMOTE_ADDR WSGI variable are used to uniquely identify client IP addresses for throttling. If the X-Forwarded-For header is present then it will be used, otherwise the value of the REMOTE_ADDR variable from the WSGI environment will be used. The AnonRateThrottle will only ever throttle unauthenticated users. The IP address of the incoming request is used to generate a unique key to throttle against. The UserRateThrottle will throttle users to a given rate of requests across the API. The user id is used to generate a unique key to throttle against. Unauthenticated requests will fall back to using the IP address of the incoming request to generate a unique key to throttle against. UserRateThrottle is suitable if you want simple global rate restrictions per-user. The ScopedRateThrottle class can be used to restrict access to specific parts of the API. This throttle will only be applied if the view that is being accessed includes a .throttle_scope property. The unique throttle key will then be formed by concatenating the "scope" of the request with the unique user id or IP address.
- Use a private repository if your project is sensitive. But its never a good practice to check your secrets into version control, even if you are using a private repository. This is a fairly common issue., for years, developers have been mistakenly publishing credentials that grant access to myriad systems, such as databases, web hosting accounts, encrypted email, slack bots and various apps. It’s an easy mistake to make that can lead to catastrophic breaches, particularly when the credentials can unlock systems that are crucial to business functions. Apps sometimes store config as constants in the code. This is a violation of twelve-factor, which requires strict separation of config from code. Config varies substantially across deploys, code does not. A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials. dynaconf a layered configuration system for Python applications - with strong support for 12-factor applications and extensions for Flask and Django. Strict separation of settings from code (following 12-factor applications Guide). Define comprehensive default values. Store parameters in multiple file formats (.toml, .json, .yaml, .ini and .py). Sensitive secrets like tokens and passwords can be stored in safe places like .secrets file or vault server. Parameters can optionally be stored in external services like Redis server. Feature flagging is a system to dynamically toggle features in your application based in some settings value.The advantage of using it is to perform changes on the fly without the need to redeploy ou restart the application.
- In our ISO Risk Methodology Admin panel is defined as a key key asset Admin panel is a very high risk as it would affect the parts CIA trial altogether if compromised Adding extra layer of security using django-admin-ip-whitelist is a Django middleware app to ban users whose IPs are not whitelisted. Stores whole 'whitelist' in memory to avoid database lookups on every request. Allowed access to internal only services, staging servers, test servers using the OpenVPN server only
- As Django is regularly patched with latest security updates. Using an up-to-date LTS Django version would ensure that the application has all the latest security patches. It is always preferable to deploy behind HTTPS. Doing so prevents malicious users from intercepting information sent between the client and the server. The default cookie behavior is to connect over http. However, since we already established that you need to use https, you want to make sure your cookies are only being sent over https as well. To prevent leaking cookies, be sure to set your SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE settings to True If your web application allows users to upload files, you are opening yourself to an attack vector and the upload logic should therefore be handled carefully. It is important to validate all uploaded files to be sure they are what you expect While it may be tempting to write raw sql queries and custom SQL, doing so may open the door for an attack. A user attempting to perform an sql injection (execute arbitrary sql on a database) is going to find it much harder, if you always use the ORM. Organizations usually assume most risks come from public-facing web applications. That has changed. With dozens of small components in every application, risks can come from anywhere in the codebase. While bugs like Heartbleed, ShellShock, and the DROWN attack made headlines that were too big to ignore, most bugs found in dependencies often go unnoticed. Indirect dependencies are as likely to introduce risk as direct dependencies, but these risks are less likely to be recognized. Tool like Snyk helps you understand your entire dependency tree.
- ISO 27k made us rethink a lot about our security as a whole. And enabled us to implement the best practices in regards to keeping the information safe and secure. ISO 27001 is one of the most popular information security standards in existence. Independently accredited certification to the Standard is recognised around the world and the number of certifications has grown by more than 450% in the past ten years.
- Today, Tuesday, 9 February 2021, we celebrate the 18th edition of Safer Internet Day with actions taking place right across the globe. With a theme once again of "Together for a better internet", this day calls upon all stakeholders to join together to make the internet a safer and better place for all, As a representative of an organisation and industry, you are in a direct position to design, shape and adapt the platforms, services and content children and young people interact with on a daily basis. In doing so, you have the power to make a safer and better internet a concrete reality.