Security

00:00.0

Hi, and welcome to another episode of Django Chats. I'm Carlton Gibson, joined as ever

00:09.2

by Will Vincent. Hello, Will.

00:10.3

Hi, Carlton.

00:11.1

How are you?

00:11.8

Good. I'm good. This week, we're going to talk about security, which I'm kind of excited

00:15.6

about because it is a deep and important topic. And I think it's interesting when I'm teaching

00:22.1

beginners and I sort of say and then show them the web is a really, really dangerous

00:25.9

place. And it's why a framework like Django that takes a lot of effort and a lot of precautions,

00:31.1

it really helps you out. So I think we're going to talk about what are these classic dangers,

00:35.8

and then what does Django do to help you with them, and then how do you configure it?

00:39.7

Yep.

00:39.9

So let's start off. So why is the web dangerous? The web is dangerous because

00:44.4

there's lots of bad actors, but really bad bots out there trying to hack your site for whatever

00:50.5

reason. We've talked about this in other episodes. If you have a slash admin page,

00:55.0

you know as a default you should change that because you or i could create a little bot that

00:58.5

goes around to every website out there and looks for a slash admin and tries to it's much it's much

01:03.2

worse than that because it's not that we create that bot it's that there are scripts down there

01:08.1

are kits downloadable off the internet that have have scripts to check every known web vulnerability

01:13.1

in every known framework and how to set that to every addressable ip ip address that your computer

01:20.0

can reach so it's like you just have to set up your thing and fire off this kit and this will

01:24.7

go and find every server out there and try every vulnerability against that server right this is

01:29.3

this was called there's probably still is script kitties back in the day where you can download

01:33.2

and run something you don't know how it works but you can still cause a lot of damage so this is

01:37.4

why it's important to keep updated people think oh you know it's not going to affect me i've got

01:41.4

a small site i don't you know this security no this security your isn't if you have a weakness

01:46.3

in your application it's not if your application will get hijacked it's when it's right well and

01:51.3

let's talk about you know so what are the i just thinking of i just saw a headline uh athena which

01:56.1

is jp morgan's trading platform that does billions and billions of dollars of trading um they've

02:01.1

publicly announced they're not going to make it over to python 3 by january 1st so that's a big

02:07.4

invitation to hackers just on the python side not to mention um jango's updates coming up you want

02:14.0

to you want to stay up to date but let's talk about so the biggest risk too so okay but that's

02:18.9

slightly even because they'll pay people to mentor to backport security fixes to 2.7 for as long as

02:23.9

they have to right yes but still there will be yeah that's perhaps an unfair example it's just

02:29.5

for them for them it's just going to be disproportionately expensive because they'll

02:33.2

have to pay you know super consultant rates for every you know thing to make sure that they get

02:37.9

past compliance that they've done it whereas everybody else who can't afford that budget

02:42.4

is just going to be stuffed right i would say so what's so what's before we get into the technical

02:48.1

things. So the biggest risk is what's called social engineering, which is people. So that's

02:52.8

some individual who has access to things is compromised, either they're disgruntled,

02:58.9

but more likely they click on a phishing link. So someone sends them an email that looks like

03:02.5

a real email, they click on a link. I mean, this is what happened in the US in our elections,

03:07.5

some people in Hillary Clinton's staff clicked on phishing email links, click on one link,

03:12.2

and it goes to a site that looks like a site, but it's not. We'll get into how that kind of works.

03:16.8

And then that person, their level of permissions are now owned by Russia or whomever.

03:24.0

So the biggest risk is always people.

03:25.6

So you want to make sure that you set permissions.

03:29.2

Permissions are set appropriately.

03:30.5

You want to have a lot of permissions levels in your application.

03:34.3

You also probably two-factor authentication is a good idea.

03:36.8

I know there's some talk about eventually rolling that into Django itself.

03:42.1

But permissions, I would say, is the biggest one.

03:44.1

Like, for example, do non-engineers need write access?

03:46.3

No.

03:46.8

yeah i mean there's this kind of principle of least privilege right so that you know and it

03:52.0

might sometimes be a pain or wouldn't it be nice if i could just do this thing well do you need to

03:56.3

do that is it not just for the sake of security bear that you can't do that and you have to go

04:00.3

past this through this other person who can and yeah and it's i mean it's a tough job to be the

04:04.6

you know chief security officer or whatever the title is it especially at larger companies in

04:08.6

some ways you're you're the whipping post because it is it seems like it's expensive up front to do

04:14.7

all these things until something bad happens and if you don't do these things they will happen

04:19.0

so it's it's you know it's important to do the i mean the number two risk i would say i'm curious

04:24.7

what you think carlton after people so social engineering would be uh updates just keep up to

04:29.2

date keep up to date with django most of the minor releases are security related uh especially

04:35.0

third-party packages for example django crispy forms um just went from up to 1.1.8.0 but um

04:42.9

the one from 1.71 to 1.72 there was a uh security issue there right that i know adam adam johnson

04:51.1

you were mentioning i should update my books to uh fix that but yes i mean the key the key point

04:58.1

is keep like the minor fixes they probably you know that's where you'll find oh there was this

05:02.6

little injection of vulnerability let's patch that right the minor fixes are almost always a security

05:07.9

thing i guess what else would they be maybe like some egregious bug fix but well yeah well like it

05:14.1

depends on the policy right so django itself like the main the main the current major version so

05:19.1

currently 2.2 will receive bug fixes for the um the current for that current version but bug fixes

05:26.6

for new features right so if it was a new feature introduced in 2.2 then you'll get a bug fix in

05:31.7

2.2.4, say. But beyond that, the extended release, the 1.11.25, that's the LTS. All those long year

05:43.1

and a half, three years of whatever it is of security releases, they are security releases.

05:49.3

They would also get data loss bugs, but those are so few and far between as to almost never happen.

05:57.5

So the majority of patches there are security fixes

06:01.0

and most of them are public in that, you know,

06:03.4

there's a database, a CVE database of security exploits

06:09.9

and you publish those so that people know about them

06:11.8

and know what the mitigation is and, you know,

06:14.5

people who are interested in security subscribe to those mailing lists

06:17.8

and they know about them so they know what to update.

06:19.9

It's really important that you keep up to date.

06:22.2

And as I said, as we were talking about at the beginning,

06:23.9

it's because for every vulnerability,

06:26.3

someone will write the, and it's not someone evil, it'd be a penetration tester, a pen tester,

06:31.2

right? Someone whose job it is, is to find out whether an application is secure so that they

06:35.1

can secure it. But they write the kit, but the kit can be used for good or for evil. You know,

06:42.1

it can be used for penetration testing, which is a legitimate use, or it can be used for

06:47.7

penetration, which is obviously not so good. Less legitimate. And we've, we've talked to

06:52.8

another episode about how to update Django. There's all these great deprecation warnings.

06:58.3

and what you want to do is you want to go through and run oh i'm forgetting off the top of my head

07:02.4

what is it it's with the w flag what's the yeah so you so with so python and then cap dash capital

07:08.1

w for warnings right and if you put warnings all wall right it's because it reads like wall

07:14.2

but warnings all then all these deprecation warnings um or pending debt so there's kind

07:19.5

of levels a pending debt deprecation warning means it's not quite deprecated but it will be soon and

07:24.2

then the deprecation warning means hey you really better fix this now because it's going to disappear

07:28.1

it very shortly um but by default pending deprecation warnings are silent so without

07:33.6

this all flag yes they don't show up but you want to run that at least time to time or at least in

07:38.3

perhaps in your um in your ci as a different build so you can um you can see these deprecation

07:44.1

warnings and then you've got ages and ages to fix them so yeah like you know if there's a if

07:49.4

there's an a deprecation introduced in django 3.0 it will be it won't be removed until django 4.0

07:55.2

so you've got like three whole versions to or however many to fix it yeah like 3.3.0 3.1 3.2

08:01.9

and then 4.0 is that the is that the agreed timeline there's only 3.2 yeah so we've so the

08:08.2

way it works now is we have um the new the the the 0.2 version will be the lts and then the next

08:14.4

major version will follow that so 3.2 will be followed by 4.0 okay good so what else uh well

08:22.1

if you're curious on i'll just slightly plug myself if you're curious on how to actually

08:25.9

step through all this i have a whole chapter actually a couple chapters um in my book

08:30.5

professionals on doing this on making something production ready because the information is out

08:36.4

there but it may not be in the most concise form so what's another step environment variables this

08:42.3

is another must have for security and basically anything you don't want to put secrets in source

08:47.2

control so you don't want something for example your secret key in your settings file api keys

08:51.7

you don't want that floating around so anyone who has access to your code base any employee of any

08:56.5

level can see them so you create an environment variable which basically lives separately and

09:02.0

how would you how would you describe it carlton what's okay so variable well okay so um in the

09:09.1

unix environment every every process which is launched gets an environment um dictionary

09:14.5

basically right as it's launched with keys to strings which um the the launching process can

09:21.1

set and it will be inherited from the launching process hence you know when you're in bash you

09:25.1

might you might have you might have put export um django settings model the the export says and

09:30.9

pass this down to the um child processes yeah so you can store those environment variables

09:36.2

a whole bunch of places but you can access them in python with um os by the os environment environ

09:43.6

or oh the os module dot um and then get environ or the environ dictionary you can access directly

09:50.3

you can set environ and you can use those um to inject these environment variables into your

09:58.1

settings file so so when you first start django start project you get a settings file and it's

10:02.3

got a generated secret key for you and that's fine for when you start but before you deploy

10:06.3

you want to change that to use an environment variable and then you can keep that in a dot m5

10:12.1

file people use a lot and then you know there's various ways of launching with with that environment

10:17.1

with those environment variables in your in your process environment right and you probably want

10:22.2

to generate a new secret key because chances are you've done a couple commits and actually there's

10:26.7

a there's a i'll put the command there's a neat command you can use django's uh generator but

10:31.0

basically it's a 50 uh 50 character long string random string um that's generated that's that it's

10:38.2

it's really important yeah i mean if someone has a secret key that's that's session session keys

10:43.5

all the encryption like everything it's all uses this as kind of like a seed and if that seed's

10:49.3

known then you know then all of that can be um broken because the algorithms are are known and

10:56.2

they're it's good that they're known because then they can be audited but the seed has to be kept

11:01.0

secret otherwise they don't work right and again any commit ever that just one commit out of a

11:07.1

thousand that happens to have the secret key or some other secret there is available to anyone

11:12.5

who hacks into your github gitlab whatever anyone who has access to the code base so

11:16.4

change it yeah um but yeah and these but these things are cheap as well in the you know like

11:21.2

uuids or or whatever secret keys you can just generate a new one yeah yeah right there's not

11:26.8

much cost to doing it um and i would mention so what else uh i mean the main ones we've talked

11:32.8

about this in a deployment episode um we've gone at length but you know turn the bug off

11:37.8

um you want to set your allowed host so you can't just let any old person come in

11:42.2

and if you run the um that there's a deployment checklist built into django and there's docs on it

11:48.1

python manage.py check uh dash dash deploy it will say hey here's all the things you want to

11:54.2

make sure are configured properly for production yeah i get this header or that header strict

11:59.1

transport all these kind of things that you might do and then for me the thing that you you need to

12:05.0

do more than you know the sort of general rule is handling user input so yeah that's the big one the

12:10.7

goal here is you must always filter input and that always means always pass it through a form with

12:15.3

whatever validators are sensible or you know a rest framework serializer or something like that

12:20.0

so you filter all input and then you escape all output so if you know you take if you're going to

12:25.6

take user generated markdown and render it to hdml and put it on a page you must you must run that

12:32.2

through a sanitizer like bleach or you must escape it right now obviously you have to if you're

12:36.9

generating html you have to run it through a sanitizer like bleach because if you escape it

12:42.1

you'll just see you know html in your html page what does it mean to escape something

12:46.8

escape well okay so to escape something um so django gives you the um the escape utility which

12:54.2

will for instance take all uh opening angle brackets and convert them into um and lt semicolon

13:02.9

html entity so instead of it look so if you put if you had angle bracket p close angle bracket

13:10.6

instead of it appearing as an html tag a paragraph tag a p tag in html it would appear as um the html

13:19.0

entity less than the html entity greater than right in between so that it would it would be

13:23.3

viewed uh you'd see it as as the html on the other end of page yeah it just makes it really hard to

13:29.1

describe that yeah it's well i possibly i partly tossed it to you because a little hard to describe

13:33.8

so i actually have if i have a of a link an html escape tool that i built just with javascript that

13:40.3

um on my website wsfinston.com slash html escape tool so you can play around and you can escape or

13:46.5

what is it um uh unescape cold yeah i was gonna say it's a de-escape anyways these are it's got

13:53.4

to be on in unescape now anyway

13:56.7

all right so yeah user input is dangerous um you can't trust someone out there and you want to do

14:03.3

all these you know so if you use use django so sorry the escape function is in django.utils

14:09.8

great great folder do go and rummage through their html.html and then there's escape it's

14:14.6

unescape there's uh conditional escape format html there's all sorts of good stuff in there

14:18.8

yeah strip tags all sorts of extra yeah so we could so let's see so what are the common attacks

14:26.0

i don't think we covered this in a deployment um episode but just just very briefly common web

14:31.9

attacks you should be aware of so the top one is or one of the top ones is sql injection so someone

14:37.2

has your form and tries to put some sql in there like delete database well you hear about the

14:42.7

school where they had little johnny tables who what no there's a there's a joke about it's just

14:47.7

a stupid programmer joke but about how some parents named their um their son um you know

14:54.3

something something colon delete from or semicolon delete from you know take users where it would be

15:01.5

it'd be fun i know these exist but it'd be fun to build a hackable django site you know maybe

15:08.1

just like in sqlite and just you know pull off the protections and just let someone actually do

15:14.6

this because the problem is it's you don't want to play around with this on real sites and a lot

15:18.9

of real sites are just uh shockingly susceptible to these things for one reason or another okay but

15:25.5

it's remarkably hard to these days fortunately to get sql into your database directly like you have

15:33.0

to you you have to like you know so say you're using janga you have to get the connection then

15:37.1

you have to pull out the cursor then you have to concatenate your string and then you have to

15:41.2

like you know that stuff's known but it's not in any of the the books you have to you know dig down

15:46.7

and work out how to use that so you wouldn't be able to get user concatenated sql into your

15:52.0

database if you're using the the orm unless you tried you'd have to really right another reason

15:57.9

to use of a good framework like django instead of doing it raw among others so what else um

16:04.3

xss cross-site scripting someone injects a little bit of javascript into your page

16:09.4

this is why you want to automatically escape um user input csrf is a big one cross-site request

16:15.9

forgery that just basically exploits the trust in a user's browser so this is why whenever you're

16:20.5

doing a form that has a post in django you want to put in those csrf tag to load in the csrf

16:26.1

middleware which will puts in a random secret key basically as a cookie that doesn't let you

16:32.4

so so why does this work it's like if you're logged into two different um what's a classy

16:37.8

example if you log into a banking site a server sends back a session token again this is because

16:43.2

The HTTP is stateless. So each request is kind of independent. But what happens if I get in a

16:49.1

separate tab, I have an email open, someone sends me a link, and it sends me to something that looks

16:53.0

like my banking site, but it's not actually the banking site, but my browser already has loaded

16:57.5

my token. So basically, that person on this fake banking site, because I'm logged in another

17:03.6

tab, in this new tab, can act like me and can do all sorts of nefarious things like take out money

17:09.3

because i'm still logged in so this is i mean sort of the fundamental trade-off of the statelessness

17:15.4

of the web is this security problem of how do you know that another tab open is actually the

17:21.0

correct one yeah and so what you do what the csrf does is it injects this csrf token in and it you

17:28.7

know if standardly it's required for all post all post requests which are going to change something

17:33.5

and if the post data doesn't include the correct csrf token then the post request will be

17:39.6

rejected even if all the other fields were valid but you still you have to add the csrf tag

17:45.2

yes so right so if you're rendering a form you have to add that yeah yeah i mean that's

17:50.0

i wonder if almost never would you not want to have that there automatically yeah no i mean like

17:56.2

this used to be a a big issue and it's almost not an issue at all anymore because the modern

18:03.3

web frameworks not just django but all the modern web frameworks handle this in more or less the

18:07.4

same way and it's kind of as long as you follow the practice and you use csrf yes you really are

18:13.6

protected you know it's it's kind of nice you know what else are there some others that well

18:21.4

i can go through so click jacking that's another one there's a middleware to protect against this

18:25.3

that's if someone puts a hidden iframe so an iframe could be when you put another site in a

18:30.5

site so for example if you have a google maps embedded on a site or a youtube video but what

18:35.4

happens is someone can just because it looks like something doesn't mean that's what it is so someone

18:39.6

could show an image of a kitten and you think oh that's a cute kitten but actually it goes to

18:44.4

amazon and tries to make an order or something on your site so jane goes uh click jacking middleware

18:49.5

checks basically whether a resource can be loaded within a frame iframe on the page is that is that

18:56.2

you basically want to yeah yeah and you basically want to say no um yeah almost you can turn it off

19:01.4

but almost never do you want to yeah i mean like someone do that i can't think that i've wanted to

19:07.0

actually embed my own site in a y-frame more than a few times like if you're if you're if you'll

19:11.7

discuss right where they've got that comment widget thing yes you're better then okay then

19:16.5

you need people to be able to embed your site in an iframe but if you're not discuss is it

19:21.8

Disqus, Disqus, yeah, it's D-I-S-Q-U-S,

19:24.2

whatever, how do you pronounce it?

19:25.9

I don't know, it's comment, so I thought it was Disqus.

19:28.4

Built with Django, I believe.

19:30.6

Okay, well, there you are, go Disqus.

19:34.0

But, you know, if you're not them,

19:35.6

when have you ever wanted to put your site in an iframe?

19:38.7

Yeah, I mean, the only, you know,

19:39.9

I think the classic example is just like a static site

19:43.8

where you want to, I don't know,

19:45.7

or a WordPress site for a client where you want to put in the map

19:48.4

so people can find it, something like that.

19:50.5

but on a django site um i mean you can still do it but that's the only example i can think no i

19:55.2

mean there are you know if you i don't know like these little widgets where you want to embed it in

20:00.1

some other site then yeah okay you might use an iframe there because um they're still the most

20:04.5

you know they're still the most powerful way of being able to do stuff on your site right but

20:08.2

it's also the the danger of a widget is you're trusting that widget and all their friends to be

20:12.8

good actors um and they may not be or maybe they are but then you're still using the widget and

20:18.9

someone takes control of it or you know so this is i mean so i've said this pattern a few i've

20:24.9

suggested this pattern a few times on the podcast but if you're in this kind of situation then what

20:28.8

you actually want to do is have two django apps you want to have your main django app which is

20:33.2

sensible and doesn't let you know it's got all your on-site functionality and it doesn't let

20:38.9

anybody embed in an iframe and then with the same project you just want another

20:42.1

WSGI.py file somewhere else that serves a an optimized and minimized Django app which just

20:49.1

does the iframe necessary bit and it doesn't have access to all the other stuff because you don't

20:54.7

want

20:55.0

you don't need to have all that in all of it in one application the same with async stuff you might

21:01.1

you you might need only a couple of endpoints which need the new async stuff or just serve

21:05.7

those from us with a with a different worker with a different um you know server and have most of it

21:10.9

going through the you know tried and tested whiskey pipeline and then just have you know

21:16.0

your web sockets coming into a different worker a different um server endpoint or a different

21:20.6

in a process yeah that seems like good advice to me so so what's the takeaway so security is

21:26.9

important django basically has you covered but you have to use django appropriately and that would

21:31.3

means i would say definitely run the deployment checklist yeah make sure you're using environment

21:36.4

variables if you do those two things django will hold your hand uh there's a host of smaller things

21:42.8

but that gets you most of the way there if you pass i'd say one more that you got it filled

21:46.9

filter input and escape output and if you do that the major attacks are covered yeah so three things

21:54.9

because it's a it's cross-site scripting right if you don't you know that's the big danger is

21:59.7

um but i mean but django if you're using django templates they automatically auto uh auto escape

22:04.8

this yeah it's for you they do and forms also do um check validation and uh forms will also

22:12.8

protect you right but the the day the difficulty comes when people want to for instance allow user

22:18.4

submitted urls okay so then you've got a there are filters like um uh you are iri to uri where

22:25.6

which you should run any user submitted um urls through to make sure they're incorrectly url

22:30.9

encoded and like escaping's a bit more complicated than django does it all for you yes if you just

22:38.4

But if you just take the user-submitted content

22:44.1

and you put it into a template, Django will auto-escape it.

22:47.2

But sometimes you don't want it escaped

22:48.8

because an escaped URL won't work.

22:52.2

So you need then to run it through the appropriate filters

22:54.4

to make sure it's safe to present that URL.

22:57.5

Right. And you mentioned too just the Django Bleach package,

23:00.7

which we'll link to.

23:01.5

Well, Bleach is a Mozilla package.

23:03.5

So say you actually want to present user-submitted HTML.

23:10.2

So you can't escape it because it ceases to function as HTML once it's escaped.

23:14.2

So you have to sanitize it, and Bleach is a sanitizer,

23:17.3

and it will enable you to provide a very limited set of tags

23:22.3

and a limited set of attributes,

23:24.0

and anything which doesn't match those gets stripped out.

23:26.8

So for instance, GitHub have a markdown editor field.

23:31.5

right you can't put any old html in there there's a very limited set of html you try putting a strip

23:37.0

script tag in there it just won't appear because they filter that out i was just wondering if

23:42.3

so there is that django bleach package if if that if you would recommend using that versus oh i've

23:48.2

never used that i didn't even know so i didn't even know there was a django bleach package i

23:52.0

don't know yeah yeah they for me i just use bleach and i guess well this last tangent i mean that's

23:57.5

something i find more and more as i'm progressing in my django journey is that i see well specifically

24:03.3

with markdown i'm building something that i'm using markdown and there's a whole bunch of django

24:06.3

markdown packages but i mean i can also just pull in what is it markdown to whatever the python

24:12.3

library is and create a custom template uh custom filter so uh it's sort of a nice place to get when

24:20.2

i look at an app and can think do i really want all that functionality and all that um trust that

24:25.5

comes along with it i mean a lot of times it's helpful but if i can just do it manually more and

24:29.1

more i would rather roll it myself if i can do it concisely okay so this yeah and this comes back

24:36.5

neatly full circle the number two um risk we said was not updating and why don't people update they

24:43.5

don't update because there's a third party dependency which isn't compatible with the

24:47.0

new version yes so don't take on third party dependencies is is a big issue we just had one

24:52.2

with django today python 3.8 has been released and there's this traceback lib that we use with

24:57.9

the test runner to format um format tracebacks and that's great but it's got a bug that's fixed

25:06.2

in master um against django against python 3.8 but it's not been released yet so we now have to

25:12.2

we've had to insert a conditional skip this test if this version is lower than because in order to

25:19.0

get around that and and django doesn't take on dependencies for exactly this reason because then

25:22.4

we're tied on them and okay that will be released soon and then you know we'll be able to drop that

25:27.0

skip if but projects really get stuck oh i'm using you know this third-party package which hasn't

25:32.1

been updated in three years and it's not compatible with any supported version of django so i'm on an

25:37.2

end-of-life django because of some third-party package that i took on because it saved me half

25:41.8

an hour on the first day oh that is so true that's so true i think i think half our listeners

25:48.8

are going to go and half are going to like that's an interesting idea but right so don't take on

25:53.5

third-party dependencies i mean not for not unless you know it's interesting don't do it lately yeah

25:57.4

don't don't do it lightly is it when what's its update cadence so like you know okay you mentioned

26:01.9

crispy forms that have been updated hadn't been updated for a year and a half it hadn't need to

26:05.3

be because it was 2.2 compatible a long time ago and we've just updated a release which is 3.0

26:10.4

compatible and since my talk at jungle con europe i've had loads of new contributors to help me get

26:14.8

the bootstrap stuff going much better so i'm really pleased with that thank you everybody

26:18.4

right um right but the whole point is crispy forms is stable as as whatever a year a year and a half

26:25.6

between releases it's not a problem for crispy forms but a package where it's new you know it's

26:30.9

only had 30 commits it's only got one contributor and it be you got to be really cautious about

26:35.8

taking that on but can you can you get what you need from it without having a third party

26:41.4

dependency if you can i would recommend it right i almost wonder it'd be nice if there was a

26:46.1

like a check mark that you could see oh something hasn't been updated in a year

26:50.5

but that's because it's fine or because it's super stable right well but like a stability

26:55.6

thing because even krisky form or you know whatever package is stable there's still going

27:00.7

to be a whole ton of issues and and prs and if you're not knowledgeable you may well there may

27:06.3

be some and you may look and see well this hasn't been updated for a year and a half and i see a

27:09.9

whole bunch of prs i don't know if i can trust it and it turns out those are minor things versus a

27:14.7

boo like there isn't python 3 support that yeah um i don't know the answer to that to be honest

27:20.4

that that's difficult i mean that took i mean that took me a long time i used to be like oh you know

27:25.7

i can just bring in this third-party dependency and bang some stuff out and then that you just

27:29.8

find yourself getting into a spider's nips is that the right way a spider's nest spider web

27:34.9

i don't know but tangled up you get tangled up in these dependencies which

27:39.1

aren't really giving you much value okay that's a lot to say on security hopefully that helps

27:43.4

everyone we'll have links to everything as ever we are at django chat.com chat django on twitter

27:49.8

and we'll see you all next week bye bye bye join us next time