Security questions on connecting private entreprise database

Using Django
1

Hello,

I’m learning to use Django and creating my first Web App.

I have the following security question:

  • I know that Django creates a database of models (tables) that are migrated, and there can be sessions for each user.

  • But, if I have another database, which is private to the company, is it possible to enable a secure area in the Django WebApp based on login and account management, so that I can display the data from this database in the WebAPp? Or, do you not recommend this and it is better to separate a public and a private WebApp? It’s because the functionalities of the Web App will be the same, only one will read from the private database and for the public they will be from the objects they upload and can operate with them there. Can you do security layers? Is Django administration enough? I just don’t trust that it’s safe and can be accessed in the private database even if you have access passwords to the administration account and password to the private database.

I hope you can shed some light on all this.
Thanks a lot in advance!!

Tricia

2

maybe can I create a secure path that connects the Django App and my private database through a VPN tunnel? How can I do that?

3

Lots of questions! Let’s see if I can split them out and offer some opinions individually.

  • is it possible to enable a secure area in the Django WebApp based on login and account management, so that I can display the data from this database in the WebAPp?

Yes, the basic Django permissions system (with some features available like the LoginRequired and PermissionRequired mixins allow you to build a system with that degree of separation and isolation.

  • Or, do you not recommend this and it is better to separate a public and a private WebApp?

This fits into the “it depends” category for me. There are other factors that you may wish to consider such as whether or not it’s the same users on both, or if those users are going to want to access both databases at pretty much the same time - in other words, take into consideration how much integration there needs to be of the two apps from the user’s perspective.

  • It’s because the functionalities of the Web App will be the same, only one will read from the private database and for the public they will be from the objects they upload and can operate with them there.

If the functionality is truly 100% the same, you can actually use the same code but with different settings files to share the code base between the two environments but without sharing data.

  • Can you do security layers? Is Django administration enough?

Yes and yes.

  • I just don’t trust that it’s safe and can be accessed in the private database even if you have access passwords to the administration account and password to the private database.

Web app application security is a multi-layered topic.

  • Yes, the base environment needs to be secure. Django certainly is robust enough on which to provide a secure application
  • But, the application itself still needs to be secure - and that’s on the developers, not on Django.

Odds are, if you have a security vulnerability in your application, it’s in your code, not Django’s. (I’d say this is true for any of the “major” web frameworks. They’ve been battle-tested enough to cover all the key issues at the framework layer. But you can create insecure applications on any platform if you’re not careful.

Ken

4

Remember that Django itself is running on the server, not in the user’s browser. The only situation where this would be of help is if you’re not running the web app in the same network environment as the database. This is a completely different situation than the other routine security considerations I addressed above.