Processing payments for the paranoid¶
By Andy McKay
- @andymckay
- Works at Mozilla
- Presented barefoot
The Mozilla Marketplace is the app store for Firefox OS and this Django powered site takes payments from users.
Combined with issues like localisation, identity and scale - we are processing payments through Django. This talk will cover the marketplace, the architecture of the system and how we cope with all the paranoia.
Mozilla Marketplace¶
- Powered by Django
- Don’t call it an “app store”
- accepts payments
- Powered by open source project ‘zamboni’
Note
Report bugs to Mozilla via their reporting system and they’ll pay you.
Steps for purchase¶
- Set up your account with Mozilla
- Purchase and use an app
- Mozilla bills your carrier
All powered by Solitude: https://github.com/mozilla/solitude
Vulnerabilities they had to consider¶
SQL injection¶
- careful ORM evaluation
Ourselves¶
Many penetrations happen internally, not from technical assaults from outside.
Wrote anonymizing code
Inside the DB:
- removed personally identifying information
- encrypted other data
Defended by depth
Tips¶
use python-requests
- SSL certs are not handled well by Python’s URLLIB
- Requests does it well
- wrote django-paranoia to help track security things
Includes something called paranoid_forms. Logs when people try to add or subtract keys to forms.
includes a special sessions component for Django. Logs when:
- user agent changes
- IP Address changes
Note
Just noticed that @andymckay is presenting barefoot at @djangocon @djangofact #djangocon