Security in the age of frameworks

Abstraction leads to pain, pain leads to suffering, suffering leads to token leakage. A “monsters found” talk about the implications of security measures baked into web frameworks and the ways in which developers and sysadmins defeat those measures. Will use Python web frameworks like Django and Flask for examples, but the concepts are universal. Will cover broken SSL implementations, oAuth token leakage, vulnerable cookie signatures and other brokenness.

Security can never be one-size-fits-all, it requires constant and vigilant configuration, customization and verification. Failure to reevaluate correctness after minor, seemingly unrelated, configuration changes might completely strip any effectiveness of the security measures. Since developers didn't write them, we rely on them understanding the functionality by reading documentation at a level that includes known issues, which is rarely the case.

Since security measures ship with frameworks, sysadmins are also not fully aware of them, how they function, and what their failure modes look like. The demarcation line is unclear and as a result things fall through the cracks. Often times the simplest countermeasure is to bring it fresh pairs of eyes.

Skill level: Advanced
Duration: 25 min

This talk was chosen by Python Hrvatska user group.

Photo of Luka Kladaric
Luka Kladaric

Luka has been doing computer stuff professionally for well over 10 years. Initially self-exiled from the Microsoft world to PHP, he's since moved on to Python and more recently ansible and other opsy stuff. Despises frontend, likes doing talks. Currently Senior Software Engineer at, formerly CTO/cofounder at and developer at Ran a small web studio in Croatia with a dozen happy customers. Splits time between Zagreb and New York. Dreams in matrixcode.

Supported by

Organized by