PyCon 2016 in Portland, Or
hills next to breadcrumb illustration

Monday 10:50 a.m.–11:20 a.m.

Seriously Strong Security on a Shoestring (CW)

Kelsey Gilmore-Innis

Audience level:


Are you confident your Python webapp is secure? Really confident? Hand-it-over-to-a-team-of-expert-haxx0rs-to-tear-into confident? Find out how, without any formal security background, we successfully built a site storing some of the most sensitive data imaginable that passed a formal security audit from the best in the business. Content warning: this talk includes discussion of sexual assault.


[Callisto][1] is an online reporting system for college sexual assault. It's written in Django and provides a more empowering, transparent, and confidential reporting experience for survivors. It's absolutely essential that we keep our users' data secure--but as a small non-profit, we could barely afford one full-time developer, let alone someone focused solely on security. Thankfully, although the infosec community can sometimes be intimidating, any one of us can learn how to build secure sites using Python. We'll cover the essential concepts behind securing your users' data and offer examples of how we applied them to Callisto. We'll explore the world of Python security tools, libraries and frameworks that let you stand on the shoulders of security giants. I'll give you the language and ideas you need to get every person in your organization contributing to your security goals. Finally, you’ll learn about how to verify your hard work both informally and formally, and hear about how we underwent a production security audit from a professional firm, just 6 months after first seriously delving into security. Spoiler alert: we passed. Doing right by your users can be easier than you think; join me to learn how we did it and how you can too. [1]: