There are some fundamental tenants to web security but as web standards evolve and attacks become more sophisticated practices must change. As the web changes so will these policies. Contributions are always welcome to improve this documentation. These should not be seen as mandates but the collective wisdom of the group through years of experience and researching best practices.
The Caktus security policies take two primary forms: a this collection of documentation and the Catkus project template. The project template serves as a reference implementation of the best practices as they relate server configuration and deployment. The primary repo is located at https://github.com/caktus/django-project-template which also depends on Salt states found in https://github.com/caktus/margarita.
Issues will arise when our security policies need to be updated, and we need to keep the team informed when this happens. When any of these change in a significant manner, we’ll include an update at the next Monday morning stand-up.
The project template is managed under the Caktus Github account and all Caktus developers are welcome to participate in its development. You can follow changes by watching the project on Github as well as review open pull requests to see which changes may be coming soon.
All Caktus employees are encouraged to help improve the security policies. You may have a security concern that the current policies do not cover or feel they are too ambiguous. You may have attended a technically talk or read a recent blog post that brought to light a potential security problem. Whatever the case may be you can raise these concerns with security@caktusgroup.com.
Additions or updates to the project template can be done through the standard developer practices of opening and issue or pull request. Please keep in mind that this is a public repository and potential security problems found in the template might impact a number of Caktus projects. If you feel that you have found a potential vulnerability in the default setup please disclose this to security@caktusgroup.com before opening any publicly visible issues.