DjangoCon 2015

Desarrollando un plan para mejorar la seguridad de las aplicaciones Django en cinco días

Jacob Kaplan-Moss  · 


Extracto de la transcripción automática del vídeo realizada por YouTube.

had folks so I'm going here today is to get you thinking systemically about security not thinking about the the what not you know cryptography and hashing and password security and and using template auto escaping you know I'm not talking about the

technical details although Kelsey gave a talk earlier today which covers a lot of those technical details in depth so if you want to know more about that watch the video well what I'm going to talk about is how does your organization think about security

what is it what is your security program um let me get a quick reading how many people here work for an organization that you would say has an established security program Wow okay that's awesome that's actually more than I thought and how many of

you do some form of security in your day job but don't really understand exactly how it fits into a larger picture of your organization's security posture all right if you were okay cool so I'm speaking I was speaking to the people who raised their

hand the second time and I'm speaking to the people who didn't raise their hands at all who don't think that they have a part or don't understand their part in an organization security you know really I want to answer a simple question here

which is what what a Minimum Viable security program look like you can't you know I work for Heroku which is part of Salesforce right Salesforce 15,000 employees we've got a security program we've got lots of security programs I want to answer

what does this look like if you're if you're for people if you're 12 people if you're a small development team within a larger context that needs to sort of get its act together remember we talked about Minimum Viable products we're not

talking about we're not talking about just one part right i love i love this image because it really describes like exactly how you should think about what minimum viable means it mean let's just build one part of it it means let's build something

that satisfies so in this example I'm I want to tell you how to build a skateboard so the conceit of this talk is let's say you've got one week you're going to sprint on this for a week you sit down with your co-workers and the end of that

week you want to have an established defined measured successful security program ready to be iterated on over the next five weeks 5 months 5 years and that's what we're building so here's what we'll do monday we're going to want to develop

our training program to make sure that developers understand what building secure software means Tuesday we're going to develop an SD l which is a fancy version of saying what is security here and how does it work Wednesday we're going to plan for

when the hits the fan excuse my French Thursday we're going to talk about what a lot of people think of as sort of the boring parts of security governance risk and compliance formal security programs and Friday you're going to tell the world that you've

just done some awesome work let's dive in so train your staff so security is a shared responsibility a system is only as strong as its weakest link and this means we need to strengthen all of the links every single person at your organization is in some

sense accountable for the security of your organization whether they are a developer who needs to write code that protects against sequel injection or an admin who needs to not fall prey to a phishing attack and share corporate calendars or a janitor who needs

to keep the doors locked or a manager who needs to not you know up let someone approve a change that that would be a bad idea for the company's overall risk profile right these are all actions that people need to take to ensure that we're doing our

best job protecting our organization and most importantly our customers so you really need to have holistic security awareness training for everyone at the company this this isn't optional I'll talk a bit about why in a minute and what so what I suggest

you do is focus on some some very basic security hygiene practices good passwords is that is the easy one luckily there are several good password management utilities LastPass in one pass then they are not hard to use I hesitated in a minute last pass is a

little hard to use but it has some good features so it's kind of worth it so you can make a decision there about you x versus features and decide which one you like train your staff at using a password manager that will dramatically level up how to the

sort of organizational security posture of of their platform shared password reuse that is using the same password on one side and another and then site a gets compromised and attackers use it on site B is an incredibly common exploit vector there was an interesting

breach a number of years ago of a company was their name they were they were a mongodb like as a service provider and the way that they were compromised was that the password that was used was used by a staff member on Adobe's website and Adobe was compromised

and with the compromise to the mongo provider a shared password used by a user of that service was used to compromise another serve as a continuous integration service and so you have this chain of the attacker moving from platform to platform harvesting passwords

and trying them across other other systems so cutting out password reuse through the use of technology is a really good way to cut that down multi-factor off is a thing it works train your you can train your staff how to use it and basic training in in customer

privacy procedures is something that you should probably be spending some time writing down and helping your staff understand this will differ from organization to organization depending on who your customers are and what what privacy means to them but this

is worth worth the investment let's talk a bit about fishing because that's the biggest threat that you'll probably face to this sort of general population of your f so fishing this is from the verizon does a yearly data breach investigation report

where they compile data on security breaches from hundreds of organizations and do a bunch of analysis and grouping of the types of vulnerabilities and they find that more than two-thirds of incidents that that follow this pattern of trying to steal data feature

fishing most attacks start with either a targeted or an untargeted phishing email what's really scary if you're in the security field is that almost a quarter of recipients open phishing messages and ten percent of them click on attachments which means

that just 10 emails gives you a ninety percent success rate right that's pretty scary that means as an attacker I only need to send you to your company ten emails to have a fairly good chance of successfully fishing someone so what can we do about this

this is a big threat and it's really hard to address because it's it's it's people so there's some technology tools you good email filtering helps Gmail's great being able to store and archive all of your organization's email so

that you can you can determine the scope of a phishing attack if one occurs is another great technological stuff but really training is the main thing that you that you have to do here the same the same study the the d.i.b are also found that the best early

warning system for phishing attacks is is your own staff a properly trained staff the average time to respond to a phishing attack was 20 minutes so if you have a staff that knows what fishing is and understands what it is and how to report it to you and how

to how to sort of tell you that something something's up you have a better than average chance of catching an attack early on you can do this yourself you can also pay for this fish mecom is really good they'll they'll run phishing attacks against

your staff for you you give them your staff email lists and they do targeted and different types of phishing attacks and anyone who for one gets taken to a special customized training specifically for that style of fishing attack so it's a it's a good

[ ... ]

Nota: se han omitido las otras 4.126 palabras de la transcripción completa para cumplir con las normas de «uso razonable» de YouTube.