Hardening of django application can be verified with:
https://pypi.python.org/pypi/django-secure/
https://www.ponycheckup.com/
https://www.htbridge.com/websec/
https://pypi.python.org/pypi/dependency-check/
Deployment checklist recommended by OWASP:
https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/
Django (Cube choosen web framework) is using ORM models to separate the users from creating SQL queries for they own. Django implements querysets with parametrization which additionaly protects the database to be attacked by malicious input.
https://docs.djangoproject.com/en/2.0/topics/security/#sql-injection-protection
Cube uses two-factor authentication with SMS to enhance security in this field. There are also strict password policies that checks for password complexity, length, similarity to user attributes or to one of the 1000 common passwords.
https://docs.djangoproject.com/en/2.0/topics/auth/passwords/#enabling-password-validation
Cube is complient with this requirements because there is TSL encryption turned on for all network traffic. Passwords stored in the database are encrypted with PBKDF2 algorithm with SHA256 hash defautly in Django. This way passwords are securily obfuscated with salted hashing.
https://docs.djangoproject.com/en/2.0/topics/auth/passwords/#how-django-stores-passwords
Cube uses simpler data formats like JSON in its API endpoints. That mitigates the risk of attack with uploading malicious XML file. Even though Django is still very nice prepared for handling XML inputs with server-side form validation, data serialization and more. Any XML vulnerabilities that existed in previous versions of the framework were fixed in Django 1.5
Django implements extensive permission model with superuser and staff roles. Permissions can be extended by custom rules and such behavior is commmonly used in Cube.
Cube is regulary tested with Web Server Security Test provided by High-Tech Bridge SA company. Results from such tests reveal any security misconfigurations, which are immediately being fixed. OWASP also recommend to follow the Django Deployment checklist, which is also covered by Cube deployment practices. Cube Developers are also using an automatic tool that comes with django-secure library that checks security vulnerabilities of the application.
https://www.htbridge.com/websec/
https://www.owasp.org/index.php/SCG_WF_Django
https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/
https://pypi.python.org/pypi/django-secure/
Django provides built-in support for escaping XSS with proper security headers and filters. Cube additionally uses django-csp library to cover Content Security Policy requirements. Third-party scripts used by Cube are strictly limited to specified list of public providers.
https://docs.djangoproject.com/en/2.0/topics/security/#cross-site-scripting-xss-protection
https://django-csp.readthedocs.io/
Cube API is using JSON objects with primitive values, which shouldn’t generate any of insecure deserialization issues. Application uses deserializators from Django REST framework.
http://www.django-rest-framework.org/tutorial/1-serialization/
Cube uses only official sources of third-party libraries and stays up to date with currently supported versions. Developers keeps an eye on the changes in that matter and when any of the libraries comes outdated the problem is being solved with proper upgrade. Cube is also supplied with automatic dependency-check tool that confronts used libraries with the list of National Vulnerability Database (NVD) from NIST.
https://pypi.python.org/pypi/dependency-check/
https://nvd.nist.gov/
Django framework instantly logs any action (requests, failures etc.) taken by the user. Logs are accessible through Heroku CLI and any exception is also sent by e-mail to the Developers Team. Cube is also supplied with New Relic tool that deeply analyses any request sent against the server. Logs from New Relic are accessible via web interface. Team is also familiar with company regulations in the matter of Incident Handling. Such regulations are based on NIST 800-61 rev 2 document.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
https://docs.djangoproject.com/en/2.0/topics/logging/