[Baypiggies] HIPAA, Django and security?

Glen Jarvis glen at glenjarvis.com
Thu Mar 12 20:44:11 CET 2009


I have a customer who has a Django application that I have upgraded to  
Django 1.1.

The customer wants to take this software in a more public arena. He  
has to get HIPAA approval. The data is stored in a MySQL database and  
the standard Django User Authentication model is used (out of the box  
with no changes). Since security is a concern for the customer, I  
wanted to find all information from HIPAA regarding the Django User  
Authentication/Sessions security model. I expected to see documents  
that they have approved this model in the past. But, I'm getting  
caught in all types of minutia and can't seem to find information  
directly relating to HIPAA's criteria for web security and Django User  
Authentication.

I only found one security report (and it wasn't related to session  
login at all):

07.45.60 CVE: Not Available
Platform: Web Application
Title: Django i18n Remote Denial of Service
Description: Django is a Python-based framework for building web
applications. The application is exposed to a remote denial of service
issue because it fails to adequately handle user-supplied input. This
issue affects the "i18n" internationalization system when processing
specially crafted "Accept-Language" HTTP requests. Django versions
0.91, 0.95, 0.95.1, and 0.96 are affected.
Ref: http://www.djangoproject.com/weblog/2007/oct/26/security-fix/

Does anyone know where to find such "stamp of approval" or "denial"  
from HIPAA's point of view? I can find no specific links to Django  
from hippa.org. Which governmental agency site should I be searching  
for with regard to Open Source and security?

Thanks in advance for any direction you can lead me in (where to go or  
who to talk to),

Cheers,


Glen
--
glen at glenjarvis.com

"You must be the change you wish to see in the world." -M. Gandhi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/baypiggies/attachments/20090312/40b43fd0/attachment.htm>


More information about the Baypiggies mailing list