 My name is Matt McKay and I am a developer evangelist with Twilio, but before I started at Twilio I was doing consulting work in large enterprises across government, nonprofit and commercial organizations and I discovered that there are a lot of things that came up on every project, drove me nuts, were incredibly frustrating and when I heard that there was going to be an enterprise related track at DjangoCon I thought this would be the time for me to vent my frustration into a presentation and then also hopefully help you guys in these situations to solve some of these problems So like a good consultant I've decided I was going well I decided I was going to whiteboard this out, but there's no whiteboards in here So I just drew this ahead of time So this is my whiteboard version of my presentation and I've also drawn some pictures To go along with this and I am going to use the term client To represent the sort of boss figure, the person that is driving what the feature requests are So for people that are staff, it's probably just the boss for me in a client consulting relationship I'm just going to say client so just so you know what it is And so the things that I would get requested all the time from clients Here's the top five things that I've on every project and it would drive me nuts The first one was integrating with Active Directory. It's everywhere It literally isn't every enterprise and it was always at the last minute. Oh, we're getting ready to deploy to production This integrates with Active Directory, right? I'm like, yeah I well, let me just check on that for a second So I would make sure that I would integrate with Active Directory beforehand right instead of doing it right before production The second thing is passing security audits How do you go about convincing security that this crazy framework called Django which they always seem to pronounce the Django is Not something that is any more inherently insecure than the spring NBC framework that they're used to doing audits on The third thing is ingesting legacy data. So in any enterprise, there are existing systems How do you interact with those existing systems or take over existing databases that you are now putting a new front end on? The fourth thing is securing dependency installations So we now in the Python community have the ability to do pip install whatever Framework pip install Django and we're so used to doing that But in in enterprise environment sometimes they think well, that's that's strange We don't control that that repository of libraries. We need something else We need to secure that connection somehow and then the fifth thing is correcting This isn't something necessarily specific to Django But it's something specific to Python and any sort of dynamic language It's amazing to me the number of conversations I've had with little CIOs or executive level people that are like this dynamic typing thing And I'm like this is not something you should be concerning yourself with as a CIO But it comes up over and over again And there is a certain way that I have through much trial and error been able to convince many people on the executive level That this is not something that they should be concerning themselves with So the first thing is the boss man the client guy says active directory integration Let's make sure we can integrate with our active directory system So when I hear active directory, I'm like this my eyes just glaze over and I'm thinking like This is something some enterprisey thing that like there's an enterprise diagram that some enterprise architect drew by hand over a course of a year To just like figure out where all the systems are and I just like that's not what excites me as a software developer This is something that I just want to do I want to get it over with and I just don't want to think about ever again I just want to do it once and Actually active directory is actually not that complicated by and large There's a few different setups you can have but by and large what they really say when they want you to integrate with Active Directory is look we've already stored emails first names last names a bunch of information about our employees and the people Organization we just want to make sure that they don't have to like plug that information in again And so that when they log into their system, they don't have to constantly re-enter that information They're logging into our Django app for the first time and it says welcome Kate You think you know here's here's the application They don't have to punch in like it doesn't ask them like who are you what's your user ID like that information? You should be able to look up unfortunately active directory actually supplies that so the way that you would handle this is So we can look at it as any sort of back end as if we were doing a model back end Which is the standard one that we'd be looking up for the user and the database So we instead of having a model back end we can have an active directory back end the way that we would do this Fortunately is with with Python LDAP So any slide with the green background is a library that you can install So we can do pip install Python LDAP and this takes away some of the complexity from us But how do we actually integrate this general Python LDAP library into our Django application? Fortunately, it actually doesn't require that much work First thing would be to add some things in our settings.py file Just like if we're using any sort of dependency now I don't want you to have to worry too much about the details of what this looks like first off My handwriting is pretty terrible and second of all this is just a very abstract sort of pseudo code way of looking at it At the end of the presentation, I will give you all the resources that I mentioned today I wrote a blog post specifically for this talk that has links to all the presentation All of the resources I mentioned in the presentation all the libraries it even has the source code to the presentation So you'll get everything at the end Just can you just read or just look through this stuff and and remember and that you'll be getting the resources at the end So the way that we look at this in settings.py file is we have a DNS name Which is our with our server for Active Directory? We have a port number that it's associated with that in general that is 389 We have some search fields these search fields are really what we're looking up So we want to know what the email address is of the user who's logging in or who's using our application What is our first name last name and this is going to be dependent upon your organization? What they decide to store in Active Directory so that is one question you're gonna want to ask ahead of time What do we store in Active Directory do we just use it for basic user information? Or do we actually have worlds and different privileges that are stored in Active Directory that we should be we should be using or do We need to rebuild that in our application and just because you have this information here doesn't mean you can't also have some Other username password or some other authentication scheme This is most of the time at the very least just use so you don't have to have people re-enter the information With the LDAP URL Most of the time you can struck that using the DNS same and the LDAP port I just hard-coded it there, and then you have some domain So you add these things into your settings up high based on how your LDAP is set up and someone in the organization Should be able to supply you with that information and then you create a class. It is a separate back-end class Fortunately, this is something that is a standardized get user authenticate create user there's a bunch of functions that you you write for a back-end and People have already written gists and and libraries that will encapsulate this the idea here Is that you should be able to take this back-end and Turn it on when you want it and for your own development purposes turn it off when you don't want it So from our own local development, we don't want to authenticate against LDAP We're just doing our own development work. We want to authenticate a mod against a model back-end So you should just be able to flip that in your settings that pie file So that when you're ready to deploy to your test or your production environment you'd flip this on So that covers active directory integration should be something that isn't scary anymore It should be something that okay I write it once and I'm done with it the second thing is passing security audits and this is obviously not just a technical problem There's not like just a few lines of code that you can write. It's not like you can do pip install security audit Well, that's actually a really good idea for a library But there's a bunch of things that you need to know and and explain to a security team So one of the things is as developers we have our heads down in the code and we're thinking so much about What problems are we solving implementing new features getting the system up and running that we're speaking a completely different language than the security team One of the things that I found so amazing was I expected the security team to be just as technical as I was as a software developer But in general in large organizations, they're not they actually sometimes don't even have a software development background We're speaking completely different languages and when you go into a meeting and you start talking about well Here's how we're implementing things from a security perspective And you literally hand them piles of code on printed out on pieces of paper. They're like these guys don't know what they're talking About they're not speaking the same language as us So the first thing to do if there's a security team is find out how technical are they and generally try to find the Most technical person or the person who's the most interested in the software development aspects and then work with them to figure out What standards are they using one of the most common standards for web applications is called the open web application? security project they have a top 10 list of Security vulnerabilities in web applications and this is probably something that is the input to a checklist They're trying to check off boxes the security team knows there is no application that is completely secure They want to make sure that the bases are covered and they generally take those bases that the boxes They're trying to check based on some on some standard Standard open security protocol like this or security checklist like this and it's looking for certain things that as developers We should know at least a little something about the first thing would be injection particularly sequel injection So coming into the meeting knowing what sequel injection is and understanding exactly how Jango prevents that with the ORM and Highlighting if we're using sequel if we drop down into the sequel and bypass the Django ORM We call that out in our own in our own information that we hand out hand to the security team The second thing would be things like cross slide cross site Scripting and then also cross site request forgery. These are things that Django has pages on and the great part is about these is That each one of these top 10 items. We don't have to reinvent the wheel as Django developers There's a great talk by Jacob Kaplan Moss that talks about every single one of these security security vulnerabilities Particularly in the context of Django and how Django handles them So you can watch that talk and read a blog post which I'll give to you which maps These security vulnerabilities versus what Django does and obviously you're gonna have to adapt it to the your own code That you've written But what that means is that a lot of the heavy lifting has been done by people who've solved these problems before So that is in general how I approach security audits Again remember Security team is often not nearly as technical as we are and therefore we want to be speaking their language So that we don't end up in an adversarial relationship with them Another thing is transferring legacy data. This happens constantly. We're building new systems in an ongoing ecosystem The first situation which can often be the cleanest is we're just building a new application on a legacy database There's already stuff out there and we don't have to worry about another application touching that database It is our database that we're working with it has existing data. It has existing Relationships we just need to know how to map our Django application to that fortunately We do not have to do this manually. There's something called inspect DB So once we've configured our Django app to read from a database We can do inspect DB and we can pipe that into a or redirect that into a models.py file And then it will generate the schema for us now We may not know exactly what's in that models.py file So we could look through it and we could read through everything which certainly we're going to have to do at some point and figure out The structure of the database, but I'm a visual person And so there's another thing that we can use which is we can do a pip install Django and extensions And then we can run a manage.py graph models with some output and it will generate Getting off of our our whiteboard for a second It will generate a file of picture that looks like this that actually shows us the structure of the database And this is fantastic for getting up to speed on what is already out there. We don't have to hand Hand to figure out. Okay. What table connects to what other table? What are the foreign key relationships? We can literally visualize this and generate our models.py file Now obviously that's the beginning of the journey We'll need to migrate tables We need to figure out if that structure is appropriate for our application But it certainly is a starting point that is that we can get to very quickly and start understanding what that legacy database Contains for our application now this the situation is not always that simple sometimes there is an existing application and The requirement is well, we just need to get some some of the data out of this existing legacy data database So there can be a temptation because Django Believe it was as a one three or one dot four. You can use multiple databases So you may be tempted to say well, we have our own database. We're also going to have our legacy database We'll just use two databases for our Django application However, I recommend against doing this if at all possible in enterprises weird stuff happens You don't always have control over the situation Sometimes there's some sort of political battle that is preventing you from the optimal scenario and you may have to directly connect to the database You can do this what I generally recommend is Having some sort of wrapper around that existing application if there's if there's already a team that is developing software for that other Application have them generate an interface some sort of API that allows you to pull whatever data you need out of it on a regular Basis the the danger if you do what I've xed out here is that other systems make other teams and systems may come along and say Oh, you've got access to that data. Can you write me an API? But you don't actually have control over that database Someone else is touching that database and so what ends up happening is you become this Dependency that you never intended to be so it's better to push it down onto the the application It really does have control over that database Now there's one of my other favorite applications and my first job They are called end user computing applications and they looked something like this. They were in Excel spreadsheet The great part was that the company I was working for very large company they had so many literally hundreds of these things and They have a lot of errors in them. There's no unit testing of Excel spreadsheets And what ended up happening was they had all these cascading errors And they had to restate financials to the tune of hundreds of millions of dollars Because they kept having errors propagate throughout all their financial systems. They were basically this we're talking about major financial institution in The country enterprises are very strange places now fortunately some Environments recognize this is not a sustainable situation So they'll ask you as a developer to come in and build a system that replaces a spreadsheet But the caveat is yeah, we want all the data that's in this spreadsheet to like be in the system on day one So we have a hard cut over so when we log into that system. It has all the data that we're expecting in our Excel spreadsheet There are some tools that will help us do this Excel RD and Excel WT and I'll tell you exactly how you should use them The first one is for reading Excel spreadsheets so you can read Excel spreadsheets directly But I recommend strongly strongly recommend that you have a lot of data validation And that you agree beforehand you say what is the input that we should be taking in and we will reject anything That does not match that criteria column B should have only numbers And if there are any letters we reject that and we will spit that back out as an Excel spreadsheet with Excel WT So we'll give you back an Excel spreadsheet of all the stuff that does not pass data validation We're not going to you know continue to re-ingest this information But we will suck in as much as we can and then your team who handles the business side of things You can figure out what you need to correct So you push the data correction onto the team that has to hand figure out Why did we put you know a number in a cell or where we put a why do we put a bunch of letters in a salary column I mean this this is literally the type of errors that happen in Excel spreadsheet There's just no validation so you have validation on your side when you suck in the data And then you just say you have exception scenarios where you just pump out an Excel spreadsheet says You figure this out and we're happy to take it in when you fix the problems That is by far the best way and probably one of the only ways to make this a sustainable situation Where you can cut over on day one All right, so another thing is securing packages and installations So the two things I want to talk about here number one is I've gotten on client site and I've done PIP install Django And a thing fails well often we're going through a proxy server and they're funneling all traffic through that proxy server Now fortunately PIP has a has a setting it will it has a setting where you can specify a proxy server But also as of leader versions it will it will respect this environment variable so you can export the HTTPS on HTTPS underscore proxy Environment variable and PIP will respect that it'll say okay I'm going to go through this proxy server and then it won't begin installing your packages Just make sure that you you set this every time I've I've set it before and then I forget to set it in my environment variables And then my PIP will fail and I'm like what's the proxy server again So just make sure that if you're going to set this just set it somewhere where you know what the proxy server is Before you use pep every time otherwise it can fail Another way is this is our standard setup so we're used to as developers You know we got to pi pi or pi pi rather and we download the packages and we have them installed in our virtual M And we're good to go but this can be very risky for enterprises They say we don't have control over this pi pi environment We don't really care that it's a you know a community resource or anything like that What they care about is like they want to control that they want to run their security audit process And they want to run their scans on a central repository and that is understandable There are malicious things that can happen to central repositories that you do not own And so what you really want is something more like this this is all self contained in the enterprise And you can certainly do this in fact there it actually does not take that long to set up a pi pi environment of your own The only thing is you're going to have to upload and establish all the packages that you need there And then make sure the developers are not installing from the central pi pi that all developers in the enterprise Know that this is a centralized repository in the enterprise itself So the only thing about this is if you've got one team that's working on a Django project And they have to be the ones who are uploading all the packages and making sure everything is scanned It can be a lot of overhead so I would fight back against this Unless you have multiple teams that are willing to share the burden of hosting your own pi pi server But it is certainly doable Alright and then the final thing is this like what are these dynamically typed languages As I said in the beginning it's always amazing to me when CIOs are like You know I don't know about this whole Python thing you know it's dynamically typed I'm like you haven't programmed a lot of code in like 20 years Like what does it matter to you like it but it's so funny So what I used to do is I would always say like look If Python is good enough for Google it's good enough for this big company And the CIO would be like but we're not Google And I found that there was a lot of push back They're like we would like to be that place eventually but we're not there right now And so the way to mitigate this the way to mitigate this with an executive team Or people that are pushing back against dynamically typed programming languages Is to actually point out all the places that they're already using it Look we've been using Python in all these places for the past 10 years And guess what the enterprise has not blown up yet So if you start going around to use you take a look at all of the tools that your enterprise is using That there a lot of these are actually have Python that you're using for You're actually using Python with them already So for example WebSphere uses Python to set up its configuration You can write Python scripts to auto generate or to do the WebSphere configuration And so okay there's one use case of Python already being in that environment If you're using Ansible or using SaltStack or even if you're using Chef or Puppet Those are dynamically typed, they're built on top of dynamically typed languages Extraction and transformation, taking data out of one system and putting it into another You point out all the situations in which Python and dynamically typed languages All of them are already being used in the enterprise And that can be a powerful thing for someone who is just trying to say Well we don't want to introduce too much change into the enterprise right now You say you're already using it and therefore it's obviously safe for consumption Because it's already been here for 10 years Now after that then you talk about something like Here's the respected peer organizations that are building systems with Python and Django And there's a bonus if you know that there are certain organizations they bring up And they're like these are the leading organizations in our industry Not necessarily like Google or Facebook or something like that But if they're in government space or in the financial space And you know that these group of executives always talk about this company is doing great things You can find out what those other companies are doing And the majority of the time like Bank of America is doing a ton of work with Python They don't really talk about it too much But it is something that is out there Because if you're in the financial industry and executives are pushing back on Well we don't want to use dynamically typed languages or Django But they're always talking about how great Bank of America runs some of their systems Or how they're able to respond quickly with their IT systems You say by the way they're using this already And that may be one of the reasons why they're outflanking us here And so that puts a little bit of pressure from the standpoint of like social proof You're basically saying look you don't want to be There's a few different risks there So like in the first category you're mitigating the risk of like We don't use this already So you're taking that consideration off the table Then what you're doing here is you're mitigating like Look your peers are using this and they're outrunning you And that is a fear that many executives have They're worried about being overrun by other companies And so you can point out like look These other organizations are already using dynamically typed languages And then finally I do generally have a laundry list of the leading tech companies And I talk about here's exactly what these tech companies are using Python for And these companies are doing really great things with small development teams And if that's the direction of your organization Then that's probably something you should be thinking about as well You basically want to start crossing down the list of all the rebuttals That they can have around dynamically typed languages So we covered a few things here First and foremost, integrating Active Directory It's not something that should be too scary There's some great resources out there and using Python LDAP This is not something that should take you two weeks You can generally write this stuff in about a day And be done with it and never think about it again And reuse it on whatever project you go to Passing security audits, talk in their language Instead of just talking in software development language It can take a little while to get used to that But you remove the adversarial relationship Between the development team and the security team Adjusting legacy data, there's a few scenarios here If you're doing a hard cut over then you can do inspect DB You can do graph the data model And figure out how it works And if you're talking to an existing system I recommend using an API as opposed to using a set And just connecting directly to the database Because that can be an unsustainable situation And then also with Excel spreadsheets Make sure you do the data validation And spit out the errors and let them correct the errors As opposed to trying to correct the errors in your own system Securing dependency installations PIP will respect the HTTPS proxy variable But you can also set up your own PyPI If that's something that your enterprise is large enough to maintain And then finally correcting misconceptions Around dynamic typing There's a approach that tends to work very well Obviously, agriculture is different All the pushback from executives can be different But there is a structured approach That will allow you to just say This is something that is not too risky This is something that allows leading institutions To be able to use Python and use it well All right, so I told you I'd give you guys the resources I know not everyone has a total cell phone service in here But if you send a text message I'll leave this up for just a minute If you send a text message to this number It's 503-476-3056 It will respond back with a text message This is totally anonymous If you could give me a score of 1 to 10 1 being the lowest And 10 being the highest Would you recommend this talk to a friend or a colleague? This allows me to determine Is this a talk that is something that is valuable to the audience Or if this is something that maybe I need to work significantly on And maybe change out the topic So that it can be more appropriate Based on the talk title A lot of times we don't necessarily get feedback This allows me to get feedback based on the audience's reaction So if you send a text message To you guys is you get the link That has all the resources to the blog post Has a link to the presentation A link to the presentation source code Everything you need that I've talked about Throughout this talk So again 503-476-3056 And this will be up for a while So if you don't have cell phone service in here Just send it when you go outside And you'll get the link back Okay, one more little quick plug I'm the author of FullStackPython.com If you're looking for resources around Python This is like my passion project for 2014 I have put a lot of time and effort into it I actually just crossed 90,000 readers this year I'm super stoked that this really helps people This came out of me just writing emails To a lot of developers and saying Here's some great resources I put it on the internet for everyone In the community to be able to consume My name is Matt McKay I'm a developer evangelist with Twilio Here's my contact information Thank you all very much for having me And I will answer questions outside afterwards Thank you