Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
Insecure Deployment: Non Production Ready
Abstract
The application contains a component that is not designed to be deployed on a production environment.
Explanation
The Django application exposes the
"The
This view will only work if
That's because this view is grossly inefficient and probably insecure. This is only intended for local development, and should never be used in production."
serve view of the static files application which is not designed to be deployed in a production environment. According to Django documentation:"The
static files tools are mostly designed to help with getting static files successfully deployed into production. This usually means a separate, dedicated static file server, which is a lot of overhead to mess with when developing locally. Thus, the staticfiles app ships with a quick and dirty helper view that you can use to serve files locally in development.This view will only work if
DEBUG is True.That's because this view is grossly inefficient and probably insecure. This is only intended for local development, and should never be used in production."
References
[1] Django Foundation The staticfiles app
[2] Django Foundation Managing static files
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality
[7] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
[11] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001500 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001500 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001500 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001500 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001500 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001500 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001500 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001500 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001500 CAT II
desc.structural.python.insecure_deployment_non_production_ready_staticfiles