Python Web Conference 2023 Recap

Python Web Conference is an online conference that brings together the Python web development community. This year it ran from March 13–17 and featured five tracks: App Dev, Cloud, Culture, PyData, and Tutorials. I was especially interested in the App Dev and Cloud tracks, and I was not disappointed. Here’s a recap of my most memorable moments.

By Dwayne McDaniel.

Have you ever felt like you don’t have the expertise and tools required to assess the security of the applications and websites you develop? I certainly have, which is why I appreciate this talk so much. It was a treasure trove of useful resources provided by the Open Web Application Security Project, aka OWASP:

• Top Ten – A list of the most common web application vulnerabilities explained in short, plain English descriptions. It includes “How to Prevent” and “Example Attack Scenarios” for each.
• Cheat Sheet Series – The tagline says it all: “Life is too short. AppSec is tough. Cheat!” These cheat sheets are detailed without being overwhelming. My favorite is the Top 10 Cheat Sheet, with practical steps to mitigate the vulnerabilities in the Top Ten list.
• WebGoat – “A deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.” Python and Node.js versions are also available.
• Juice Shop – “Probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs [capture-the-flag challenges] and as a guinea pig for security tools!”
• Zed Attach Proxy (ZAP) – An actual vulnerability scanner tool intended to find security breaches in your application. Use it carefully and only under authorization of the system being tested.
• SecureFlag – A “capture-the-flag” style game that teaches you how to secure a web application by finding and fixing vulnerabilities.

By Pamela Fox.

I’m constantly on the lookout for new deployment platforms for my Python web apps. I’m especially interested in platforms that allow the team to automate as much as possible, use an infrastructure as code pattern, and have security and monitoring built-in. Azure is one of those platforms, and this talk was a great introduction to the topic. Here are some of the highlights:

• Azure Bicep – Allows you to describe the desired state of your resources in a descriptive, easy-to-read language, and Azure will take care of the rest. This is a great alternative to the Azure Resource Manager (ARM) templates that are currently used to define Azure resources.
• NubesGen – Easily generate Terraform and Bicep templates for your project. Automate your infrastructure using GitOps best practices with GitHub Actions.

By Chad Carlson.

Platform.sh is another Platform-as-a-Service (PaaS) provider that has caught my attention. From this talk I got the impression they offer a very integrated hosting solution that not only takes care of provisioning and deployment, but also includes observability and monitoring tools (think logging and metrics). I was particularly impressed by their Blackfire demo.

By Daniel Roy Greenfeld.

The legendary pydanny took us on a journey through the history of Python web frameworks and presented a very comprehensive comparison of the most popular contenders: Django, Flask, and FastAPI. We learned about the pros and cons of each, with particular attention to speed, developer experience (DX), async support, database integration, and general capabilities. In my mind this solidified FastAPI as the clear winner when it comes to speed and async support, but Django is still a strong contender due to its “batteries included” approach (the admin, for example, is plain magic) and wide ecosystem of third-party packages.

By JJ Asghar.

For years I’ve been part of the trend of making git the single source of truth for an application. Not only the application code lives in the repo, but also configuration files for infrastructure. Additionally, deployments are automated and depend on pushing to git branches instead of a manual process. It turns out this is called “GitOps” and this talk was a great introduction to the topic. What was new to me was the idea of deploy targets polling the repo to detect if they have new changes to deploy, instead of the repo pushing changes to the deploy targets. Apparently this allows applications to be deployed to multiple environments without having to mix different types of configuration files in the repository.

By Paul Everitt.

This is one of those talks where a big chunk went over my head but I was so enthralled by the technology being presented and the passion and charisma of the speaker that I didn’t care! Paul presented a setup where he was able to test Python code running in the browser with actual Python unit tests, instead of the good ol’ “click around until something breaks.” I appreciated the fact that he presented this as a great tool but warned everyone that the performance penalty is high and not something to be taken lightly.

By the Six Feet Up team.

This was one of the social hour activities that I participated in. We were split in two teams and used breakout rooms to answer trivia questions about Python. We went for four or five rounds, and my team was ahead for most of the time. But then the other team caught up and took the win in the last round which involved recalling as much of the Zen of Python as possible. So close!

This was my first remote-only conference, and I was pleasantly surprised by how Six Feet Up organized it. There were no technical issues, the talks were of excellent quality, they facilitated conversations in face-to-face calls and Slack, and just made everyone feel great to be together, even if we were physically apart. I’m looking forward to the next one!