Re: Add documentation to address OWASP Top 10?

2016-04-06 Thread Tim Graham 
Proposed text:

Take a look at the Open Web Application Security Project (OWASP) Top 10 list 
 which identifies some 
common vulnerabilities in web applications. While Django has tools to 
address some of the issues, other issues must be accounted for in the 
design of your project.

(linked to https://www.owasp.org/index.php/Top_10_2013-Top_10)

https://github.com/django/django/pull/6425

On Wednesday, April 6, 2016 at 5:03:24 AM UTC-4, Erik Cederstrand wrote:
>
>
> > Den 6. apr. 2016 kl. 07.29 skrev Anssi Kääriäinen  >: 
> > 
> > It is notable that if the number of items is a secret (say, you don't 
> > want to reveal how many sales items you have), just having information 
> > about sequential numbers is bad. In that case you should use UUID, 
> > which the documentation could point out. 
>
> If anything about your data is sensitive, then there are a pile of side 
> channels that putting your data online could expose. URLs are just one. For 
> an entertaining read, google "German tank problem". 
>
> Giving specific security advice in the documentation that doesn't strictly 
> refer to Django features could IMO lead to the false expectation that 
> you're magically secure if you follow the advice. I would prefer that the 
> documentation simply pointed to further reading, e.g. OWASP. 
>
> Erik

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/17a7595b-821b-4ab2-95c8-3bc54b7650d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Add documentation to address OWASP Top 10?

2016-04-06 Thread Erik Cederstrand 

> Den 6. apr. 2016 kl. 07.29 skrev Anssi Kääriäinen :
> 
> It is notable that if the number of items is a secret (say, you don't
> want to reveal how many sales items you have), just having information
> about sequential numbers is bad. In that case you should use UUID,
> which the documentation could point out.

If anything about your data is sensitive, then there are a pile of side 
channels that putting your data online could expose. URLs are just one. For an 
entertaining read, google "German tank problem".

Giving specific security advice in the documentation that doesn't strictly 
refer to Django features could IMO lead to the false expectation that you're 
magically secure if you follow the advice. I would prefer that the 
documentation simply pointed to further reading, e.g. OWASP.

Erik

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/D9FBFA53-1053-4389-A192-3FA44606C82D%40cederstrand.dk.
For more options, visit https://groups.google.com/d/optout.

Re: Add documentation to address OWASP Top 10?

2016-04-06 Thread Curtis Maloney 

On 06/04/16 11:35, Josh Smeaton wrote:

I like the idea of addressing the OWASP top 10. Further, I think the
advice of obscuring keys is wrong. The problem is actually addressed in
the OWASP Top 10[0]

*4 Insecure Direct Object References:*
A direct object reference occurs when a developer exposes a reference to
an internal implementation object, such as a file, directory, */or
database key/*. Without an access control check or other protection,
attackers can manipulate these references to access unauthorized data.

The proper solution is *Access Controls* like the Permissions system
provides.


Exactly... or just filtering the queryset according to the logged in 
User, and returning a 404 otherwise -- get_object_or_404 can make this 
trivial...


(yes 404, as 403 potentially admits the existence of the record in 
question -- see GitHub's behavior)


--
Curtis

--
You received this message because you are subscribed to the Google Groups "Django 
developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/5704BE62.1040706%40tinbrain.net.
For more options, visit https://groups.google.com/d/optout.

Re: Add documentation to address OWASP Top 10?

2016-04-06 Thread Aymeric Augustin 
That was my thinking as well.

This is a basic topic when it comes to web security. We can point to the OWASP 
10 but I don’t think it’s reasonable cram a complete course about web security 
into Django’s documentation, let alone maintain it. Django’s docs will never 
contain everything one may need to know to write any project that may take 
advantage of Django.

-- 
Aymeric.

> On 06 Apr 2016, at 03:35, Josh Smeaton  wrote:
> 
> I like the idea of addressing the OWASP top 10. Further, I think the advice 
> of obscuring keys is wrong. The problem is actually addressed in the OWASP 
> Top 10[0]
> 
> 4 Insecure Direct Object References:
> A direct object reference occurs when a developer exposes a reference to an 
> internal implementation object, such as a file, directory, or database key. 
> Without an access control check or other protection, attackers can manipulate 
> these references to access unauthorized data.
> 
> The proper solution is *Access Controls* like the Permissions system 
> provides. If you're going to rely on obscurity (one time file downloads for 
> example), then you want to do so with a UUID or some kind of cryptohash (I 
> haven't verified the particulars, don't take my this comment as security 
> advice). That's not appropriate for something like a comments system.
> 
> [0] https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com 
> .
> To post to this group, send email to django-developers@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/django-developers 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/0ca48548-6c6f-4d80-b166-ff49487ff3cb%40googlegroups.com
>  
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/83D4152D-7356-4DC1-A9B3-00BFA2C96F53%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: Add documentation to address OWASP Top 10?

2016-04-05 Thread Anssi Kääriäinen 
It is notable that if the number of items is a secret (say, you don't
want to reveal how many sales items you have), just having information
about sequential numbers is bad. In that case you should use UUID,
which the documentation could point out.

On Wed, Apr 6, 2016 at 4:35 AM, Josh Smeaton  wrote:
> I like the idea of addressing the OWASP top 10. Further, I think the advice
> of obscuring keys is wrong. The problem is actually addressed in the OWASP
> Top 10[0]
>
> 4 Insecure Direct Object References:
> A direct object reference occurs when a developer exposes a reference to an
> internal implementation object, such as a file, directory, or database key.
> Without an access control check or other protection, attackers can
> manipulate these references to access unauthorized data.
>
> The proper solution is *Access Controls* like the Permissions system
> provides. If you're going to rely on obscurity (one time file downloads for
> example), then you want to do so with a UUID or some kind of cryptohash (I
> haven't verified the particulars, don't take my this comment as security
> advice). That's not appropriate for something like a comments system.
>
> [0] https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/0ca48548-6c6f-4d80-b166-ff49487ff3cb%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CALMtK1FWzGhDmmDvJO4bFajMR0fyubjQoP4-%3DgPQwBn7nSpMpw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Add documentation to address OWASP Top 10?

2016-04-05 Thread Josh Smeaton 
I like the idea of addressing the OWASP top 10. Further, I think the advice 
of obscuring keys is wrong. The problem is actually addressed in the OWASP 
Top 10[0]

*4 Insecure Direct Object References:*
A direct object reference occurs when a developer exposes a reference to an 
internal implementation object, such as a file, directory, *or database key*. 
Without an access control check or other protection, attackers can 
manipulate these references to access unauthorized data.

The proper solution is *Access Controls* like the Permissions system 
provides. If you're going to rely on obscurity (one time file downloads for 
example), then you want to do so with a UUID or some kind of cryptohash (I 
haven't verified the particulars, don't take my this comment as security 
advice). That's not appropriate for something like a comments system.

[0] https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/0ca48548-6c6f-4d80-b166-ff49487ff3cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.