DjangoCon 2015

Mejorando la seguridad de las aplicaciones Django

Kelsey Gilmore-Innis  · 

Transcripción

Extracto de la transcripción automática del vídeo realizada por YouTube.

okay I have a tradition I like to take a speaker selfie if you all indulge me in it in a second hang on I remember how to work Twitter okay thank you yes ah there's an underscore on the front of that sorry it changed my Twitter to be less discoverable

which kind of goes against the purpose of putting it on a slide isn't it so am i I am Kelsey with an underscore in front on Twitter I am a developer I am NOT a security expert my background is in back-end development in Scala for many years in Java before

that I joined sexual health innovations a little bit for the beginning of the year to build Callisto consumers as the patrons fabulous intro explained a confidential and secure reporting system for sexual assault on college campuses it is live as of last week

at two schools Pomona and USF in California and there's a lot of things that cluster does there's some really amazing UX around it we've designed a UX that's meant to be supportive and survivor focused and to follow best practices an information

design and interview design which is its own field also to surface resources at a campus for people who have had a victim of this kind of thing there's a ton of it that's another talk on the UX stuff which has lots of benefits and is really exciting

but data rise what's important about Kalista is that it's an information escrow what that means is that survivors can come to the site and they can write down what happened to them and they can store it securely until they decide what they want to

do with that information this is kind of a new idea you're probably familiar with the concept of ESCO in terms of money because you do it off when you have a house you give money to a trusted third party information asked or you give information to a trusted

third party and then you can release it when you're ready and the challenge for us data wise then is to keep that information really secure while the survivor decides what to do with it so I'm going to talk to you about what we did to do that what

we used in Django to do that a little bit about why we chose Django one caveat I want to put in at the beginning there is no user uploaded content on this site besides text so there's no files that are uploaded that would be dragons if you're doing

that there's a whole host of security concerns that you need to be worried about I'm not going to touch on it but just so you know so you can't secure data on the Internet so the Ashley Madison hack was like professionally really bad timing for

me probably one of the few people who would say that it doesn't work at Ashley Madison just because suddenly this idea of data loss is in the news right and there's a ton of fear around it understandably it was a really scary situation and you know

in a lot of ways this is true if someone comes up and tells you that they can have data that's perfectly secure they're selling you snake oil right though almost all of the practice of security in a big way revolves around being pessimistic you assume

a breach and you work from there you want to figure out what the breach might be and how you can mitigate it that's that's where you should start from when you're securing your apps you should have a plan for when a breach happens you should have

a plan for knowing that a breach happened which is really big and thankfully a Jacob Kaplan mas is here to talk a lot about practices and sort of organizational tools you can build around that so go to his talk and we'll go to the next slide and I think

it's in an hour so that said right I am personally kind of frustrated with some of the press around the Ashley Madison hack right because yes data on the internet there's a lot of security concerns in general with the whole concept of data but the

Ashley Madison breach specifically what we had was a really deeply unethical company doing really deeply unethical things with other people's incredibly sensitive data right obviously you can do things that are reasonably secure on the Internet I assume

many of us Bank on the internet for example which is incredibly sensitive information many of us use sayed internet connected health information providing offerings and things like that right there are things we can do and in some ways I feel like this narrative

that like that's what you get if you put information on the Internet it'll be out there it's kind of a cop out right because if you look at the specifics of Ashley Madison hack the hackers have actually come out and said we were in there for years

and they didn't notice we were using default passwords from the internet I mean you know they're anonymous ha like you have to take all this with a grain of salt but there's a lot of evidence out there that this was a company that wasn't taking

care of their consumers data they actually said there is no indication of any software vulnerability being exploited during this incident what that means is that people were able to get access through the same means that other people were getting access whether

it was because it was and disgruntled employee which is what some people said or they just didn't lock down their stuff is you know still we don't know when we may never know but it's important to like be clear that there are ethical things you

[ ... ]

Nota: se han omitido las otras 2.687 palabras de la transcripción completa para cumplir con las normas de «uso razonable» de YouTube.