Python Web Conference is an online conference
that brings together the Python web development community. This year it ran from
March 13–17 and featured five tracks: App Dev, Cloud, Culture, PyData, and
Tutorials. I was especially interested in the App Dev and Cloud tracks, and I
was not disappointed. Here’s a recap of my most memorable moments.
App Security Does Not Need to Be Fun: Ignoring Owasp to Have a Terrible Time
Have you ever felt like you don’t have the expertise and tools required to
assess the security of the applications and websites you develop? I certainly
have, which is why I appreciate this talk so much. It was a treasure trove of
useful resources provided by the Open Web Application Security
Project, aka OWASP:
- Top Ten – A list of the most common
web application vulnerabilities explained in short, plain English
descriptions. It includes “How to Prevent” and “Example Attack Scenarios” for each.
- Cheat Sheet Series – The tagline says
it all: “Life is too short. AppSec is tough. Cheat!” These cheat sheets are
detailed without being overwhelming. My favorite is the Top 10 Cheat
Sheet, with practical
steps to mitigate the vulnerabilities in the Top Ten list.
- WebGoat – “A deliberately insecure
application that allows interested developers just like you to test
vulnerabilities commonly found in Java-based applications that use common and
popular open source components.”
Node.js versions are also available.
- Juice Shop – “Probably the most
modern and sophisticated insecure web application! It can be used in security
trainings, awareness demos, CTFs [capture-the-flag challenges] and as a guinea
pig for security tools!”
- Zed Attach Proxy (ZAP) – An actual vulnerability
scanner tool intended to find security breaches in your application. Use it
carefully and only under authorization of the system being tested.
- SecureFlag – A
“capture-the-flag” style game that teaches you how to secure a web application
by finding and fixing vulnerabilities.
1-Click Deploys of Python Web Apps to Azure
I’m constantly on the lookout for new deployment platforms for my Python web
apps. I’m especially interested in platforms that allow the team to automate as
much as possible, use an infrastructure as
pattern, and have security and monitoring built-in. Azure is one of those
platforms, and this talk was a great introduction to the topic. Here are some of
Allows you to describe the desired state of your resources in a descriptive,
easy-to-read language, and Azure will take care of the rest. This is a great
alternative to the Azure Resource Manager (ARM)
that are currently used to define Azure resources.
- NubesGen – Easily generate Terraform and Bicep
templates for your project. Automate your infrastructure using GitOps best
practices with GitHub Actions.
Optimizing Django Deployments with a Continuous Observability Strategy
Platform.sh is another Platform-as-a-Service (PaaS)
provider that has caught my attention. From this talk I got the impression they
offer a very integrated hosting solution that not only takes care of
provisioning and deployment, but also includes observability and monitoring
tools (think logging and metrics). I was particularly impressed by their
No Holds Barred Web Framework Battle
By Daniel Roy Greenfeld.
The legendary pydanny took us on a journey through the history of Python web
frameworks and presented a very comprehensive comparison of the most popular
contenders: Django, Flask, and FastAPI. We learned about the pros and cons of
each, with particular attention to speed, developer experience (DX), async
support, database integration, and general capabilities. In my mind this
solidified FastAPI as the clear winner when it comes to speed and async support,
but Django is still a strong contender due to its “batteries included” approach
(the admin, for example, is plain magic) and wide ecosystem of third-party packages.
Taking a Step Back and Leveraging GitOps to Wrangle Your Clusters and Projects
For years I’ve been part of the trend of making git the single source of truth
for an application. Not only the application code lives in the repo, but also
configuration files for infrastructure. Additionally, deployments are automated
and depend on pushing to git branches instead of a manual process. It turns out
this is called “GitOps” and this talk was a great introduction to the topic.
What was new to me was the idea of deploy targets polling the repo to detect
if they have new changes to deploy, instead of the repo pushing changes to the
deploy targets. Apparently this allows applications to be deployed to multiple
environments without having to mix different types of configuration files in the repository.
Joyful Pyodide with… Tests?
This is one of those talks where a big chunk went over my head but I was so
enthralled by the technology being presented and the passion and charisma of the
speaker that I didn’t care! Paul presented a setup where he was able to test
Python code running in the browser with actual Python unit tests, instead of the
good ol’ “click around until something breaks.” I appreciated the fact that he
presented this as a great tool but warned everyone that the performance penalty
is high and not something to be taken lightly.
Python Puzzlers: Test Your Knowledge at Trivia
By the Six Feet Up team.
This was one of the social hour activities that I participated in. We were split
in two teams and used breakout rooms to answer trivia questions about Python. We
went for four or five rounds, and my team was ahead for most of the time. But
then the other team caught up and took the win in the last round which involved
recalling as much of the Zen of
Python as possible. So close!
This was my first remote-only conference, and I was pleasantly surprised by how
Six Feet Up organized it. There were no technical
issues, the talks were of excellent quality, they facilitated conversations in
face-to-face calls and Slack, and just made everyone feel great to be together,
even if we were physically apart. I’m looking forward to the next one!