The talk will analyze a series of vulnerabilities that given some common mistakes might end up damaging your Python programs (with lots of exemples!). At the end, a precaution and audit method will be presented.

The talk will analyze a series of vulnerabilities that given some common mistakes might end up damaging your Python programs. At the end, a precaution and audit method will be presented.

Is your Python code secure? This talk will show how some inattentions, mistakes and assumptions that we, as developers, carry in our code can lead to serious vulnerabilities in our applications. All of that, of course, with lots of examples! At the end, the talk will present a simple way to audit Python code in order to facilitate the maintenance of your security with the identification of possible vulnerabilities.

- Learn how `eval()`, pickle, and pip are vulnerable to arbitrary code execution
- Understand the importance of cryptographically-secure randomness
- Learn how to audit your code and keep your programs secure
- ... and more!

Yan Orestes

Writing secure code in Python

You have a performance problem, and you don't know what to do. All you know is that one of your endpoints is very slow; and perhaps it only affects a certain user. How do you figure out why it's slow, and what can you do to catch performance problems before they hurt users in production? This talk will step through several scenarios involving typical performance problems and how to diagnose them.

Why is my Python code slow? Strategies for solving performance problems

You have a performance problem, and you don't know what to do. All you know is that one of your endpoints or applications is too slow; and perhaps it only affects a certain user or customer. How do you figure out why it's slow, and what can you do to catch performance problems before they hurt users in production?

We'll go through a wide range of strategies for detecting and diagnosing performance problems in typical production workloads. We'll cover both web-based domains as well as backend domains and other analytical applications involving number-crunching and big-data applications.

We'll step through the following high-level strategies:

- Tracing: through instrumentation of your code, you will get detailed traces of where the time is spent in generating your web server responses.
- Profiling: we'll look at profiling strategies using both the Python built-in cProfile tool, as well as awesome 3rd party libraries like pyspy, including how to use these with pytest
- Isolation: how to figure out if performance is affected by CPU, or memory, disk, or network IO limitations.
- Reasoning: we'll look at common scenarios that result in performance regressions such as the needless execution of sub-queries in rendering web views, or algorithmic analysis and "big-O" notation, or concurrency problems resulting from exhaustion of threads in a pool and asyncio concurrency limitations resulting from overloaded subscription.
- Prophylaxis: we'll look at how to include benchmarks within your CI pipeline, including with pytest and other technologies to catch performance regressions ahead of time.

Caleb Hattingh

Why is it slow? Strategies for solving performance problems

Have you ever wished to magically transform your notebook into a web app and share it with non-coders? The [Mercury](https://github.com/mljar/mercury) is a new open-source framework for converting Jupyter Notebook to a web app.

Magically transform your Python notebook to web app with Mercury!

The [Mercury](https://github.com/mljar/mercury) is a new framework for converting Jupyter Notebook to a web app. The widgets are constructed based on the YAML config (similar to R Markdown). The user can tweak the values of the widgets and execute the notebook from the top to the bottom. The notebook sharing is as simple as sending a link. What is more, you can decide whether to show or hide the code.

In the talk, I would like to show how the Python notebook can be converted to a web app and deployed to the cloud.

Piotr Płoński

Mercury - Build & Share Data Apps from Jupyter Notebook

Security vulnerabilities receive huge publicity but also significant secrecy. In this session, we will walk through some of the biggest issues of the last few years from the perspective of a member of the Python Security Response Team. You'll learn how we work to protect all CPython users, how you can help, and how you can help protect yourself from malicious attackers.

What happens when someone reports a security issue in Python? And what's the worst thing that's been reported? Join this session to hear all about it!

In this session, you'll learn about recent security issues in CPython and the core parts of our ecosystem. You'll hear about the process by which they were filed, how they were reviewed, analysed, shared (when appropriate), resolved and ultimately disclosed to the public.

As well as real stories of security vulnerabilities, you'll learn how you can help by responsibly reporting potential issues, and how to protect yourself against common risks, as well as the best ways to find out about major issues and how to respond.

Steve Dower

Tales of Python Security

The design of large-scale engineering systems, including but not limited to aerospace, particle accelerators, nuclear power plants, is carried out by a wide range of numerical models such as CAD files, finite-element models, and machine learning surrogate models to name a few.  In order to provide a uniform modelling interface, we encapsulate numerical models in notebooks. A notebook is controlling model creation, execution, and query of results. Numerical solvers are embedded into Docker containers and provide an isolated and reproducible environment exposing a language-agnostic REST API. A model registry enables efficient queries of models. The overall system is represented as a collection of models that exchange data. Then, the design optimization involves execution of a dependency tree of models to study the impact of a parameter change and perform its optimization. In this contribution, we present a model query mechanism allowing notebook models to query one another. The model dependencies are represented with a graph with suitable processing algorithms. In order to ensure that only affected models are executed we derive and cache a model resolution order. The presented modelling framework relies on open source-technologies (packages: pydantic, Fast API, Jupyter, papermill, scrapbook, containers: Docker and Openshift as well as databases: MongoDB and Redis) and the talk will focus on good practices and design decisions encountered in the process.

When models query models presents a package for cached model query for notebook based hierarchy of numerical models for modelling of complex physical systems.

Michal Maciejewski

When Models Query Models

OpenSearch is an open source and free document database with search and aggregation superpowers, based on Elasticsearch. This session covers how to use OpenSearch to perform both simple and advanced searches on semi-structured data such as a product database.

Search is pretty useful inside applications, so we'll also discuss how to connect to OpenSearch from existing Python applications, work with data in the database, and perform search and aggregation queries with Python. This is the talk you are searching for!

OpenSearch is an open source and free document database with search and aggregation superpowers, based on Elasticsearch. This session covers how to use OpenSearch to perform both simple and advanced searches on semi-structured data such as a product database. Search is pretty useful inside applications, so we'll also discuss how to connect to OpenSearch from existing Python applications, work with data in the database, and perform search and aggregation queries from Python. This talk is recommended for Python developers whose applications are ready to gain some search superpowers.

Laysa Uchoa

Super Search with OpenSearch and Python

In certain areas of the industry open source has become mainstream, whether it be a small part of a product, a “community edition of a product”, or creating a whole business around an open source product. One could assume the only thing required to do so is to make the source code of the project publicly accessible, possibly by putting it on a platform such as GitLab or GitHub, and one couldn’t be more wrong.

In this talk we explore those aspects such as the licence and the governance of the project and the impact they can have. Then we talk about common mistakes teams make which create an environment where outsiders don’t necessarily feel welcomed to the project. First impressions matter and it’s important that new contributors and users stay once they encounter the project.

Best practices to open source a product and creating a community around it

There are many aspects of open sourcing a product which are often overlooked yet greatly impact the community and activities around the project. One of the first things people think about is the licence [1], which is very important, but what people don’t often think about is the governance of it, which impacts the speed, decision making processes, and the kind of engagement one can get from contributors to the project who don’t work in the company.

Not every project is open sourced for the same purpose. On one side of the “openness” spectrum some projects are out there to give a bit of visibility to what a team is doing or to showcase a research or another product, and on the other spectrum the creators of a project put it out there to create a user and contributing community so that eventually the community would be active enough for the original creators to become a minority in the contributing and governance team. Depending on what the goals are, one needs to create or use a governance model which matches those goals and needs. One can look at the following categories from this perspective [2]:

- "Do-ocracy"
- Founder-leader
- Self-appointing council or board
- Electoral
- Corporate-backed
- Foundation-backed

Then we talk about some practices which can fend people off when they try to join a community, giving concrete detailed examples on how it can look like while interacting with contributors and users online, such as [3]:

- Lack of onboarding
- Nothing in writing
- Leadership is a mystery
- No path to success
- Poor communication
- Lack of transparency
- Not seeing ourselves in others

[1] Licences and Standards, https://opensource.org/licenses
[2] Understanding open source governance models, https://www.redhat.com/en/blog/understanding-open-source-governance-models
[3] Brain Proffitt, Seven Deadly Sins of Open Source Communities

Adrin Jalali

Not many leaders transition in their mid thirties but I did and it gave me a unique perspective on courage, humility, diversity and inclusion in the context of leadership. In this talk I will tell the story of my transition and along the way you will learn how you can become a better leader.

Not many leaders #transition late in their lives. @ivettordog did so and it gave her a unique perspective on courage, humility, #diversity and #inclusion in the context of #leadership.

I’ve been struggling with gender dysphoria (a debilitating sense of disconnect from the gender assigned to someone at birth) for decades, but it took me until not so long ago to realize what it was, and how it could be treated. Nothing has been the same since. Transitioning and the events leading up to it changed my life, and the experiences I had during my transition changed me as a person, and as a leader.

It’s hard for me to open up about this period in my life, not just because it comes with tremendous vulnerability, not just because it’s very personal, but also because it has been the hardest few months in my life. The decisions I faced were far more consequential and way harder to grapple than any decisions I had to make as a leader or any time during my professional career. However I feel that other people — people who will never go through anything like I did — can learn from my story a lot exactly because it has been a very unusual and difficult problem to solve.

Ivett Ördög

What transitioning from male to female taught me about leadership

Online platforms have a hard time combating hate, hate speech, explicit content and other NSFW material. Most of the solutions are rule based keyword approaches which are brittle and can be bypassed easily. At PayPal, we have a wide range of user generated content and there is a great need to automatically identify and flag hate, explicit and other typologies, to improve user experience and adhere to regulatory policies. In this talk we showcase how AI can help us identify such content with great precision.

Moderating content on online platforms at scale is an every changing landscape. Keyword based and rule based systems are brittle and easy to bypass. We showcase how we leverage AI at PayPal to solve such hard problems.

Online content moderation at scale is a non trivial task especially with an ever changing landscape of hate, hate speech with changing geopolitical scenarios. Moderation platforms need to support multiple typologies like - hate, sexually explicit, violence, bullying, spam and other toxic material. Add multi-language support for all typologies and it becomes an uphill task. In this talk we will cover the below topics:

1. Why is Text Content Moderation is hard? Why we need AI?
2. What are the available open-source datasets to train models?
3. What are the available pre-trained models for content moderation?
4. Why pre-trained models do not always work?
5. Data labelling strategies and how to leverage open data and models?
6. How to build multi-language support and challenges?

Raghotham Sripadraj

Ryan Roggenkemper

AI for Content Moderation at PayPal

Come see how you can make a native mobile app that embeds Python 3.10 to allow users to script app behavior. It's allowed by Apple but is currently underutilized by the app makers. Add superpowers to your iPhone app with Python!

Native mobile applications have many advantages over mobile websites or apps made with cross-platform toolkits. They will use less battery, allow for richer graphics, more consistent UI behavior, and enable more functionality through device-specific APIs. Wouldn't it be great to have access to all this from Python?

In this talk, we'll marry a native iOS app written in Swift with an embedded Python 3.10 interpreter to allow users to customize what the application is doing. We'll go through the entire process of:

- embedding Python from source;
- building it into the Swift mobile app in Xcode;
- adding a few pre-compiled third-party libraries like numpy and Pillow to broaden the scope of what the user can do;
- running the resulting app on an iPhone 13;
- modifying the app behavior at runtime thanks to our new Python superpowers!

Knowledge of Swift is not required for attendees of this talk. However, it will be needed later if you're willing to embed Python in an iPhone app. Embedding Python doesn't really let you make an app without knowing Swift. Don't fret though! It's pretty easy to get a hang of Swift when you're fluent in Python.

Did you know your iPhone app can embed Python to allow users customize its behavior? Come find out how!

Łukasz Langa

How to embed a Python interpreter in an iOS app

If your type-hinted Python code is Java flavored, you're probably underusing `typing.Protocol`. Python is literally built on structural typing, a.k.a. duck typing. It's how `__special__` methods work. Type hints were introduced in Python 3.5 without support for duck typing, but it was added in Python 3.8 and we should all be using `typing.Protocol` to have our code statically checked **and** Pythonic.

Duck typing is flexible and static typing is helpful. Learn to use typing.Protocol to get the best of both worlds!

Duck typing and static typing are not opposites. Go is a successful statically checked language with support for duck typing through interfaces that work like `typing.Protocol` does. A `Protocol` subclass defines an interface that past and future classes can implement without any coupling to the interface: they simply provide the required methods. That's statically checked duck typing: a powerful combination!

In this talk we'll get back to basics looking at how duck typing is used in Python since the beginning, how `__dunder__` methods leverage that idea to support what we recognize as **Pythonic** code. Then we'll see how `typing.Protocol` fills the gap in the original PEP 484—Type Hints, and finally lets us properly annotate code that leverages the flexibility and loose coupling of duck typing. Finally, we'll look at the experience of the Go community to learn what makes a good Protocol. Spoiler alert: your favorite Python ABC may not be the basis of a useful Protocol!

Luciano Ramalho

`typing.Protocol`: type hints as Guido intended

Jupyter Notebooks at their core are just JSON documents that contain all your code, markdown styles and outputs. Yet when you run a notebook, there's a lot that's happening under the hood - from starting a session with the notebook server, to launching an IPython kernel, and a rich Web UI communicating with the notebook server and the IPython kernel using Jupyter's REST APIs and ZMQ websockets. We will explore the Jupyter ecosystem (Jupyter, JupyterLab, JupyterHub) and see how this system comes together.

Let's explore the distributed architecture of the Jupyter project

Jupyter Notebooks at their core are just JSON documents that contain all your code, markdown styles and outputs. Yet when you run a notebook, there's a lot that's happening under the hood - from starting a session with the notebook server, to launching an IPython kernel, and a rich Web UI communicating with the notebook server and the IPython kernel using Jupyter's REST APIs and ZMQ websockets. We will explore the Jupyter ecosystem and see how this system comes together. 

The architecture of all the offerings in the Jupyter Project (such as the classic Jupyter Notebook), the newer JupyterLab IDE, or the scalable multi-user environment - JupyterHub is completely distributed.
At their core, there's a front end client like a web browser or a qt console that talks to the Notebook server using its many APIs (like the kernel API) and to the language kernel (in our case IPython) using ZMQ Sockets, allowing the Jupyter architecture to scale easily. 
In this presentation, we look closely at these REST API calls, and the ZMQ socket traffic using simple tools like the browser's network tab. We will also try to manipulate a notebook using simple code to get a full appreciation of these internals.

Writing secure code in Python

Abstract

Description

The speaker