blog blog blog

Twitter GitHub LinkedIn Lanyrd Email Feed

Python & Django Security on a Shoestring: Resources

Here are some resources that we used in making Callisto secure, as presented at PyCon 2016.

Callisto is an online reporting system for college sexual assault. It's written in Django and provides a more empowering, transparent, and confidential reporting experience for survivors. It's absolutely essential that we keep our users' data secure--but as a small non-profit, we could barely afford one full-time developer, let alone someone focused solely on security.

Thankfully, although the infosec community can sometimes be intimidating, any one of us can learn how to build secure sites using Python. This talk covers the essential concepts behind securing your users' data and offer examples of how we applied them to Callisto. Doing right by your users can be easier than you think; join me to learn how we did it and how you can too.


You can't/can secure data on the Internet

Start from solid foundations

Know your strengths

Know your threats

Your biggest threat is in this room

Tell me your cat's name and I can access your whole world

"Computer" can mean many things

Don't get cute

Be lazy but not complacent

  • for automated help with patch management
  • Bugtraq security vulnerability mailing list

You get a lot for free or cheap

Pay someone smarter

Thank someone smarter

  • SHI's advisory board members who helped with security: Leigh Honeywell, Sophie Haskins, Sina Bahram, Selena Deckelmann, Chris Valasek, Don Bailey
  • Django queen: the incomparable Lacey Williams Henschel
  • Friends of the project: Ben Hughes, Jacob Kaplan-Moss & his team at Heroku, Meeko Govender at NCC Group