Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oh, I Found a Security Issue (PyCon CA 2017)

Markus H
November 18, 2017

Oh, I Found a Security Issue (PyCon CA 2017)

Markus H

November 18, 2017
Tweet

More Decks by Markus H

Other Decks in Technology

Transcript

  1. Oh, I Found a
    Security Issue

    View Slide



  2. View Slide

  3. Who's an
    OpenSource
    maintainer?

    View Slide

  4. Who uses Django?

    View Slide

  5. Date: Tue, 4 Apr 2017 08:31:25 -0700 (PDT)
    From: Tim Graham <*****@gmail.com>
    To: django-announce
    Subject: [django-announce] Django security releases issued: 1.10.7,
    1.9.13, and 1.8.18
    Today the Django team issued 1.10.7, 1.9.13, and 1.8.18 as part of our
    security process. These releases address two security issues, and we
    encourage all users to upgrade as soon as possible:
    https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
    As a reminder, we ask that potential security issues be reported via
    private email to [email protected] and not via Django's Trac
    instance or the django-developers list. Please see
    https://www.djangoproject.com/security for further information.

    View Slide

  6. View Slide

  7. Assessing the
    reported issue

    View Slide

  8. Fixing the issue

    View Slide

  9. Confirming the fix

    View Slide

  10. Pre-notification

    View Slide

  11. Release

    View Slide

  12. Announcement

    View Slide

  13. How to apply this?

    View Slide

  14. ● Setup reporting channel

    View Slide

  15. ● Setup reporting channel
    ● Monitor reporting channel

    View Slide

  16. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue

    View Slide

  17. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue
    ● Release & Announce

    View Slide

  18. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue
    ● Release & Announce
    ● Learn from it

    View Slide

  19. OWASP Top 10
    https://www.owasp.org/

    View Slide

  20. Thank you!
    @m_holtermann

    View Slide