How to Solve Django's Top 5 Enterprise Headaches

Video thumbnail (Frame 0) Video thumbnail (Frame 1602) Video thumbnail (Frame 7692) Video thumbnail (Frame 14105) Video thumbnail (Frame 23763) Video thumbnail (Frame 31743) Video thumbnail (Frame 39723) Video thumbnail (Frame 40312) Video thumbnail (Frame 40931)
Video in TIB AV-Portal: How to Solve Django's Top 5 Enterprise Headaches

Formal Metadata

How to Solve Django's Top 5 Enterprise Headaches
Title of Series
Part Number
Number of Parts
CC Attribution - ShareAlike 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
The top five Django problems in large enterprise organizations are integrating with Active Directory, passing security audits, transferring data from legacy systems, installing packages from PyPI through proxy servers and combating misperceptions around dynamically typed programming languages. We'll solve these problems with code and resources to back up arguments to enterprise stakeholders.
Computer animation
Presentation of a group Game controller Dynamical system INTEGRAL Multiplication sign Frustration Client (computing) Information technology consulting Number Product (business) Latent heat Term (mathematics) Business model Energy level Software framework Diagram Data conversion Error message Information security Metropolitan area network Physical system Installation art Enterprise architecture Programming language Boss Corporation Email Information Software developer Projective plane Debugger Database Staff (military) Directory service Cartesian coordinate system Connected space Spring (hydrology) Computer animation Integrated development environment Vector space Chief information officer Self-organization Right angle Figurate number Quicksort Library (computing)
Functional programming Complex (psychology) Group action Presentation of a group Context awareness Code INTEGRAL Multiplication sign Plotter Source code Set (mathematics) Numbering scheme Open set Function (mathematics) Disk read-and-write head Mereology Perspective (visual) Front and back ends Direct numerical simulation Spherical cap Different (Kate Ryan album) Cuboid Extension (kinesiology) Information security Error message Social class Physical system Vulnerability (computing) Injektivität Scripting language Programming language Enterprise architecture Mapping Wrapper (data mining) Software developer Electronic mailing list Lattice (order) Unit testing Computer Type theory Web application Arithmetic mean Angle Self-organization output Problemorientierte Programmiersprache Right angle Quicksort Figurate number Reading (process) Point (geometry) Slide rule Server (computing) Game controller Link (knot theory) Sequel Computer file Checklist Rule of inference Field (computer science) Number Spreadsheet Business model Software testing Data structure Proxy server Address space Metropolitan area network Tunis Authentication Standard deviation Graph (mathematics) Key (cryptography) Information Military base Forcing (mathematics) Gender Projective plane Database Basis <Mathematik> Line (geometry) Directory service Cartesian coordinate system Computer animation Integrated development environment Software Propagation of uncertainty Password Table (information) Communications protocol Abstraction Library (computing)
Presentation of a group Multiplication sign Direction (geometry) Source code Execution unit 1 (number) Set (mathematics) Client (computing) Facebook Sign (mathematics) Mathematics Arrow of time Information security Error message Fiber (mathematics) Exception handling Physical system Scripting language Enterprise architecture Programming language Software developer Binary code Electronic mailing list Bit Variable (mathematics) Type theory Proof theory Category of being Message passing Data model Process (computing) Repository (publishing) Configuration space Website output Self-organization Summierbarkeit Figurate number Reading (process) Writing Spacetime Server (computing) Game controller Overhead (computing) Link (knot theory) Transformation (genetics) Field (computer science) Number Power (physics) Revision control Spreadsheet Centralizer and normalizer Goodness of fit Inclusion map Internet forum Proxy server Installation art Graph (mathematics) Information Validity (statistics) Projective plane Expert system Database Total S.A. Directory service Computer animation Integrated development environment Personal digital assistant Moment <Mathematik> Pressure Table (information) Freezing Local ring
Group action Email Computer animation Internetworking Software developer Multiplication sign Projective plane Authorization
Word Computer animation Information Fiber bundle
Computer animation
the and mn mn m the
not I and I am developmental sectorial but if the circulatory so I was doing consulting work are in what enterprises across government non-profit and commercial organizations and I discovered lot things that came up on the project for announced incredibly frustrating and when I heard that there was going to be an incredibly track a general conic but this is the time permitted vent my frustration into a presentation and then also we help you guys in these situations societal some of these problems so like a good consultant I decided I was going side was going to wait for this out but there's no right it's in here so I just drew this at a time so this is my right
because my presentation and I've also done some pictures of us to go along with this and I'm going to use the term client how to represent the sort of best figure the person that is driving what the the feature requests are so for people the staff at which is the best offer me in client consulting relationship and discuss client so just so you know what it is and so this is the best would get requested all the time from clients is the top that things that I on every project would drive me nuts the first one was integrated with Active Directory it's everywhere by every enterprise and it was always at the last minute of we're getting to put the production of this that directory right like yeah Albany just check on that for a 2nd so I would make sure that I integrate with Active Directory beforehand right instead of doing it right for production and the 2nd thing is passing security on it's how you go about convincing security that this crazy framework called Jango which they always seem to press the the GenGO is not something that is a only inherently insecure then the spring NBC framework that they're used to doing what it's on the 3rd thing is ingesting legacy data so in any enterprise still existing systems How do you elect to those existing systems will take over existing databases that you are now putting a new front end on the 1st thing is securing dependency installations so we now pipeline community have the ability to do is install whatever framework that install Django and we're so used to doing that but in in enterprise environment sometimes they think will that's that's trained we don't control that that repository of world libraries we need something else we need to secure that connection somehow and the thing is correctly this isn't something so specific agenda with something specific to Python and any sort of dynamic language it's amazing to me the number of conversations I've had with with a CIO is or executive level people there like this dynamic typing thing and like this is not something you should be concerning herself with as a CIO but it comes up over and over again and there is a certain way that I have through much trial and error to be able to convince many people on the executive level that this is not something that they should be concerning themselves with so the 1st thing is the boss man the client gasses Active actor-director integration let's make sure we can integrate with our at directory system so when I do directory and like this on my eyes just glaze over and I'm thinking like this is something some enterprise thing that writers in enterprise diagram that some enterprise drew by hand over the course of a year to just like figure out where all the systems are and I just like that's not what excites me as a software developer this is something that I just wanna do you wanna get it over with and I just don't wanna think about ever again which 1 do once and actually act that is actually not that complicated by a large there's a few different setups you can have but by and large what they really say when they want to integrate that vector is what we want standard e-mails 1st names last names a bunch of information about employees in the people organizations this 1 make sure that they're going to want that information and again and so that when they log into the system they don't have to constantly into that information the logging into the agenda up for the 1st time and as a welcome to the need thank you pick here's here's the application that I have to punch in like it doesn't ask them like who are you what your user ID with that information should be able to look up the virtually active rectory actually surprise that so the way that you handle this is so we can look at it as a sort of a back-end is if we're doing of model back and which is the standard 1 that we'll be looking up for the user i in the database so we instead of having a model that can be can have an Active Directory back the way to do this fortunately is with the
with Python held that so a slide with a green background is a library that you can install so we can do that install I l that and this takes away some the complexity from us how we actually integrate this general type of that library into a Django application it actually doesn't require that much work 1st thing would be to add some things in our settings up half of just like for using any sort of dependency now I don't want you have to worry too much about the details of what this looks like a force up my hearing is pretty terrible and 2nd of all this is just a very abstract sort of pseudocode way of looking at it at the end of the presentation I will give you all the resources that I mentioned today I wrote about was specifically for this talk has links all the presentation of all of the resources I mentioned in the presentation or libraries even as the source code to the presentation so you get everything at the end just can't you just read their just look through the stuff and and remember and that you'll be getting resources at the end so the way to look at this in setting up HR we have a DNS name which is a good or service for Active Directory we have a plot number that's us associated with that in general there's 3 8 9 search fields the search rules really what we're looking up through the e-mail addresses of the user is logging in group is using application what is the 1st name last name and this is going to be dependent upon your organization what they decide to store in Active Directory so that is 1 question I want Haskell time went to we restore 1 Active Directory to we just use it for basic use your information where we actually have rules and different privileges stored in Active Directory that we should do we should be using or do we need to rebuild that in our application and just because you have this information here doesn't mean you can also have some other username password or some other authentication scheme this is most the time at the very least just use see your active have people read into the information would be of that you are on most of you construct that using DNS and any of that work just coded it there and you have some domain to add these things and your settings up high based on how your about this set up and someone in the organization should be able to supply you with that information and then you create a class that is a separate back-end class fortunately this is something that is a standardized get user authenticates create user there's a bunch of functions you you write the back end and people have already written just and and libraries that caps like this the idea here is that you should be able to take this back and and turn it on when you want and for your own development purposes turn often you don't want it so from our own local development we not authenticated against all that were just doing their own development work often a key a mop against the model back and you should just below the foot that in your settings up I out so when you're ready to point your test your production environment you put this on so that covers actor-director integration should be something that isn't scary anymore it should be something that OK I write it once and only the 2nd thing is passing security audits and this is this is not just a technical problem is not just a few lines of code you can write something you can do that instead security of such a really good idea for a library but there's a bunch of things that you need to know about and and explain it to a security and so many things is as bulk your heads down in the Code and what thinking so much about what the problems resolving implementing new features getting the system up and running that were speaking of completely different language than the security and was the things that I found so amazing was I expected the security team to be just as technicals I was as a software developer but in general in the 2 organizations that not actually sometimes don't even have a software development background was speaking completely different languages and you go into a meeting and you start talking about witches how implementing things from a security perspective you literally hand them piles of code on printed out this paper like these guys don't know what they're talking about not speaking the same language as us so 1st thing to do there's a security team is to find out how technical on that and generally try find the most technical person or the person who is the most interested in the software development aspects and work with them to figure out
what standards are the using 1 of the most common standards for web applications is called the Open Web Application Security Project that the top 10 list of security vulnerabilities in web applications and this is probably something that is the input to a checklist they're trying to check off boxes the security knows there is no application that is completely secure they wanna make sure that the bases are covered and they generally take those bases which the boxes they're trying to check based on some on some standard put a standard open security protocol like this sphecid security check was like this and it's looking for certain things that as developers we should know or at least a little something about the 1st thing would be injection particularly sequel injection so coming to the meeting knowing that the is an understanding exactly how gender prevents that with the or em and highlighting if we're using sequel we drop down into the sequel and bypass angle and we call that out in our own their own information we hand out into the street team the 2nd thing would be things like I prostate scripting and then also cross-site request forgery these are things the Django has pages on and reproduce is about these is that each 1 of these top 10 items we don't have to reinvent the wheel as shown the developers there's a great talk right Jacob Kaplan master talks about every single 1 of these secured Striebel abilities particularly in the context of Django at how jangle and Django handles them you can watch them talk and read about post which I'll give you which maps the security vulnerabilities which what jagged us and obviously you're going to have to adapt it to the of your own code that you've written but what that means is that that the heavy lifting has been done by people who solve these problems before so that is in general how our approach security audits again remember security and is often not nearly as technical as we are and therefore we won't be speaking their language so that we don't end up in an adversarial relationship with another thing is transferring legacy data this happens costly were building new systems in ongoing ecosystem the 1st situation which can often be the cleanest is which is building a new application on a legacy databases there's already stuff out there and we don't have to worry about another application touching the database is our database that were working with it has existing data has existing relationships we just need to know how to map of Django application to that that we do not have to do this manually there's something called inspect be so once we configured how Django out to read from a database we can do inspect the B and we can take that into a redirect that into a models up I and then it will generate the schema for us now we may not know exactly what's not miles up I file so we could look through it you can read through everything was certainly we're going to do at some point to figure out the structure the database but I'm a visual person and so there's another thing that we can use which is we can look at instead Django and extensions and then we can run a man is not high graph models with some output and it will generate going off of our our way toward per 2nd it will generate a file of a picture that looks like this that actually shows us the structure of the database this is fantastic for getting up to speed on what is already out there we don't have the hand to figure out OK table connects low table with the foreign key relationships we can literally visualize this be and generator models that part obviously that's the beginning of a journey will need to migrate tables and the figure out that structures appropriate for all applications but certainly as a starting point is that we can get to very quickly and start understanding what that legacy database contains for application that this this situation is not always that simple sometimes there is an existing application and the requirement is well we just need to get some some of the data out of this existing legacy get database so there can be a temptation because Django I believe it was that as of 1 3 0 1 . 4 while you can use multiple databases so you may be tempted to say well we have our own database were also going to have a legacy database will just use 2 databases for a Django application however I recommend against doing this if possible in enterprises weird stuff happens you don't always have control over the situation sometimes some sort of political battle is preventing you from the optimal scenario and you may have been directly connect database you can do this would generally recommend is having some sort of a wrapper around that existing application if there's if there's already a team that is developing software for that other applications have been generated interface some sort of EPI that allow you to hold whatever data you need it on a regular basis the the danger if you do what I've xed out here is that other systems make other teams in systems may come along and say well you practice that data can you write me an API but you don't actually have control over that database someone else's touching the database and so what ends up happening is you become this dependency you never intended to be so it's better to push it down the the application it really does have control over that database now there is 1 of my other favorite applications and my 1st shot called end-user computing applications and they look something like this they were an excel spreadsheet I figured out was that the company was working for our very barge company they had so many were hundreds these things and they have a lot of errors and there's no unit testing of Excel spreadsheets and when that happened was that always cascading errors and had to restate financials to the tune of hundreds of millions of dollars because they kept having errors propagate throughout the financial systems were basically that's we're talking about a major financial institution in the country and has a very strange places now fortunately some environments recognize this is not a sustainable situation so ask you as a developer to come in and build a system that replaces a spreadsheet but the caveat is in where the data to the spreadsheet to like be in the system on day 1 so we have a hard cut over so we want that system it has all the we're expecting an Excel spreadsheet there are some tools that to help us do this X
R D N X all w t l exactly how you should use them the first one is for reading Excel spreadsheet so you can read Excel spreadsheets directly but I recommend strongly strongly recommend that you have a lot of data validation and you agreed beforehand you so what is the input that we should be taking in and we will reject anything that is not match the criteria the should have only numbers and if there are any letters we reject that and we will spit that back out as an expert says spreadsheet would XLW T will give you back an excel spreadsheet of all the stuff that does not have data validation we're not going to you continue re just this information but we will stop in as much as we can and then your team who handles the business side of things you can figure out what you need to correct so you publish the data collection onto the team that has the hand figure out why did we put you know a number in a sour where we put of we put a a bunch of letters in a salary column mean this this is the type of arrows that happened in Excel spreadsheet there's just no validation you validation you're signing suck in the data and you just say that exceptions scenarios where you just pumped out an excel spreadsheet says you figure this out and we're happy to take it in when you fix the problems that is by far the best way and probably 1 of the only ways to make this a sustainable situation we can or over on day 1 I so think is securing Patterson installations for 2 things on the talk about the number 1 is a common client site and I've done it start Django and I think that's well often we're going through a proxy server and the following all traffic to the proxy server now fortunately here has a has a signing it it will has a setting where you can specify Apache Server but also as a we'll versions it will it will respect this environment variables you can act for each GPS on each CPS on the score proxy binary variable and that will respect that'll say OK I'm going to go through this proxy server and at once begin installing a packages just make sure that you use set this every time I had some them said before and I forgot to say that 1 away in my environment variables and might that will fail on a mike with with the practice you again so just make sure that this up this just so that someone or you know what the practice servers before you use every time there it can go on way is this is a standard set up so I we use you as the pollution we got high I a pikey or rather and we downloaded the the packages and we have them installed installer which a lot of good to go but this can be very risky for enterprises they say we don't have control over this pipe PI environment we don't really care that it's a you know a community resource or anything like that but they care about is if they wanna control that is when the security of a process in the long run the stands of central repository and that is understandable there are malicious things that can happen this central repositories that you do not know and so what you really want something like this this is also contained in the enterprise and you can certainly do this the fact there it actually does not take that long to set up up IPI environment of your own your thing is you that half of you upload an established all the packages that you need there and make sure the developers are not installing from the central IPI developers the enterprise also know that this is the central repository in the enterprise itself so the only thing about this is if you've got 1 team that's working on agenda project and they have to be the ones who were of putting all the packages and making sure everything is can be can be a lot of overhead so I would fight back against this on much you have multiple teams that willing to share the burden of hosting your own PI PI server this certainly doable I and the final thing is the site where these dynamically typed languages as I said in the beginning it is amazing to me when CIO is like you know about hope something as dynamically typed Mike you're put like only 20 years later was a matter you like it but it's so funny so we used to do is I would say like what if I was doing a good enough for Google it's good enough for this big company and see how you like but were not google and I found that there was a lot of push back that we would like to be that place eventually when I'm not there right now and so the way to mitigate this the way to mitigate this with an executive team or people a pushing back against dynamically typed fiber that dynamically typed forum languages is actually playing out a little and places that there already using it what we've been using Python in all these places for the past 10 years and this can be a price has not grown up yet so if you start going around to different use you take a look at all of the tools that you enterprises using that there a lot of these are actually have high on that you're using for your you're actually using Python with them right so for example WebSphere uses Python the set up its configuration you can write Python scripts take to follow generate were to do the the WebSphere configuration and so OK there's 1 use case of high-quality being but in in that moment if you're using answer border using salts that women freezing Shaffer
puppet those are dynamically typed like the built on top of dynamically typed languages each extraction transformation taking the other 1 system putting into another you play out a of the situations in which Python and I the type languages all of them are already being used in enterprise and that can be a powerful thing for someone who is just trying to say well we'll introduce too much change into their prize right now so you already using it and therefore it's obviously sick consumption because it's already been here for 10 years after that and talk about something like his respected pure organizations they're building systems with Python Django and there's a bonus if you can if you know that there are certain organizations that bring up and they're like the the the leading organizations in our industry not destroy like Google or Facebook or something like that but in and government spacer in official space and you know that this these prepare exact is always talk about this combustor great things you can find out what those other companies arguing and from enjoying I'm like BankAmerica's units of local Python don't really talk about too much but is something is out there so this is if you're financial industry and executive pushing back on what we don't use and p-type languages your and there but those talk about how great BankAmerica run some of their systems or how you those available to respond quickly with IT systems say by the way like they're they're using this ready and that may be 1 of the reasons why there are fighting us here is that it's a little bit of pressure from the standpoint of like social proof is basically saying what you don't want to be there's there's a few different risks they're like that the 1st category or mitigating the risks of like we don't use this ready to taking that consideration of the table then you know what you're doing here is your mitigating like what you're cures for using this and they're out running you and that is a fear that many executives have to worry about being overrun by other companies and so you can point out like what these other organizations already using that in type languages and finally do generally have a laundry list of the leading tech companies and I talk about this here's here's exactly what is that companies are using found for and these companies are doing really great things with small development teams and that's the direction your organization then that's probably something you should be thinking about as well this also across anomalous of all rebuttals that they can have around dynamically typed languages so we key things here was the foremost in the active directory something that should be too scary there's some great resources out there with and using Python about this is not something that should take you 2 weeks you can generate this stuff in about a day and be done with it and never think about it again and reuse on whatever project you go to passing security on its talk in their language instead of just talking and stuff about language it can take or to use that but you remove the adversarial relationship between development teams and the security adjusting legacy that has refused to scenarios here for a hardcover then you can you inspect the B you can do graph the graph the moral graph the the data model and figure out how it works and if you're talking to an existing system I recommend using API as opposed to using a set and just connecting directly to the database that can be on unsustainable situation and then also with Excel spreadsheets make treated data validation and spit out the errors and let them correct the errors as opposed to try to correct the errors in your own system securing depends solutions pet will respect the each CPS proxy variable but you can also set up your own party if that's something we're enterprises is large enough to to maintain their highly correcting correcting misconceptions around dynamic I think there's a approach the tends to work well obviously ever pictures different all push back from executive can be different but there is a structured approach that will allow you to just say that this is something that is not too risky on this is something that allows leading institutions field used I find use it well right so I told you give you guys the resources with the I know not everyone has a total cell phone service in here but if you send a text message or leave this up for just a minute if you send a text message to this number 5 you have 3 4 7 6 3 0 5 6 it will respond back with a text message this is totally anonymous and if you could give me a score of 1 to 10 1 being the lowest b in 10 being the highest but would you recommend this talk to a friend or colleague this allows me to determine is this a top is something is valuable to the audience or this is something that maybe I need to know work sniffily on maybe change of topic so it can be more appropriate on the sum of the torques title what 100 or so get feedback this allows me get feedback based on the audience's reaction to be sent a text message the benefit to you guys is you get the link that has the resources to the back post as a link to the presentation will include presentations source code everything you need that talked about throughout this talk so again 5 0 3 4 7 6 3 0 5 6 and this will be up for about so if you don't have cell phone service in here to send it when you go outside and you'll get the link back OK and then we will work with
them on on the author of course that I find that commentary looking for resources around I thought this is like my passion project for 2014 I post about time effort into it and action discussed 9 thousand readers this year and super so this really helps people this came out of me just writing e-mails to allow developers and saying here's some great resources appear on the internet for everyone in the community built to consume let alone on the
mobile bundles with totally so here's my contact information they do although much for having me and I will answer questions outside words at a few
them and the do we