Web application security – Why startups can rely on Django security for their SaaS applications
A tech startup got in touch with us recently to evaluate their technology options for a SaaS application. It had a predominant e-commerce component, and the startup needed an easily maintainable, secure frame work to build their application.
After considering all possible alternatives, Django emerged as the most secure framework which simultaneously met their requirements of easy scalability and low maintenance overhead. To make this decision, we went through the top categories of web application vulnerabilities, and what solutions were available in different frameworks for those threats. In contrast to other frameworks, Django featured built-in defense for all top categories of vulnerabilities. The details are noted here:
1. Preventing Cross Site Scripting (XSS)
XSS is by far the top category of attack, and is made possible by web applications not validating input data. Django’s template system guards against this by automatically escaping variable values. This renders any malicious code input non-executable, and totally harmless.
2. Preventing Injection Attacks
The second top category of attacks consist of SQL injections, OS injections, LDAP injections, content injections, email header injections and directory traversal attacks. Django provides a reliable set of user input sanitizing mechanisms to blunt such attacks. The Django database API automatically escapes all special SQL parameters, the built-in mail functions (like django.core.mail) prevent illegal input (like newline in mail subject), and the URLconf abstraction protects prevents loading a URL which is not explicitly permitted.
3. Preventing Session/Authorization Exploits
Session forging, session poisoning, session fixation, main-in-the-middle attack, cookie forging attack, etc. are possible when the session management is not thoroughly vetted for security. Django’s session framework is solidly built to deny sessions to be stored in URLs, stores session data in back end, and hashes the the session IDs to prevent brute-forcing a session ID. Added to this, Django makes it easy to force secure HTTPS sessions using django-secure.
4. Preventing CSRF and Clickjacking
The 4th major category of web application vulnerability is Cross Site Request Forgery (CSRF), which is made possible by inadequate sanitization of GET and POST requests. Django provides the CsrfMiddleware class which uses a token to make sure all outgoing and incoming requests are indeed valid. Closely related is the clickjacking attack which Django prevents by using the X-Frame-Options middleware which prevent a site from being rendered inside a frame.
5. Preventing Information Leakage
Information Leakage can happen through Insecure Direct Object References (IDOR), unvalidated redirects, failure to restrict URL access or insecure cryptographic storage. Django provides several mechanisms to counter these issues. For eg., slug fields can be used to protect against IDOR, view level access control for URL restriction and the secure user authentication module protects against off-site links in URL parameters, forces minimum SHA1 encryption, etc.
All this out of the box security capability makes Django an ideal choice for security critical SaaS applications. It reduces the time to market, and future code maintenance over head.
Are you considering Django for your web application? We can help you in evaluating your options.