Today I’m joined by Anthony Shaw, global senior vice president for talent transformation and innovation at NTT Ltd. Anthony is also a Real Python tutorial author and has written a new book titled CPython Internals.
In this interview, we discuss a variety of topics, including Python security, advice for beginner developers, and his love for the beach. So without further ado, let’s welcome Anthony.
Ricky: Thanks for joining me, Anthony. I’m glad you could join me for this interview. I’d like to start in the same manner we do with all our guests: how did you get into programming, and when did you start using Python?
Anthony: Hey, Ricky. Thanks for the opportunity to speak to the Real Python readers!
I got into programming in the early ’90s, learning how to write code for devices that were little more than programmable calculators. As a teen, I spent most of my income from a paper round on programming books and computer hardware.
I’m mostly self-taught, starting on some older BASIC-type languages and moving on to OOP languages like C++ and C#. I’d been working with C# .NET for about eight years and discovered Python while contributing to an open source project that needed support for an API I worked on at work.
I learned the basics of Python over a long weekend in 2010 and fell for the language’s flexibility in working with fluid data structures and natural way of using both object-oriented programming and procedural programming.
Ricky: You seem to have gained an interest in Python security lately, having written a PyCharm security plugin and a cross-site scripting library for Django. You even made a video on SQL injection. How are you finding your foray into infosec, and is this a permanent change of focus for you in your career?
Anthony: It’s always been something I was curious about. I think it started when I was in university, where anything that got plugged into the campus LAN without a firewall would get trojaned within sixty seconds.
I became the hallway IT support engineer, fixing people’s computers in exchange for a supply of beer. I got an actual paid job doing technical support at a local server-hosting company shortly afterward.
Back when PHP was popular on the Web, servers with terribly insecure PHP code were getting hacked left, right, and center. If you want motivation to learn something the hard way, try being woken up at 3:00 a.m. by a customer because their server has been hacked.
With the customer’s permission, I’d gain access to the servers remotely, figure out how they got hacked, consult with the customer, and get everything reinstalled. The company wasn’t developing the software. We were just hosting the servers. When they’d get used for botnets (or worse), it would really start to impact everyone else.
To try to minimize my sleep interruptions while on call, I wrote a series of scripts that would scan networks and look for known vulnerabilities and commonly unpatched systems. I could then alert the customer ahead of time.
Now you can buy software off the shelf to do this, but with access to databases like Shodan and automated vulnerability exploitation tools like Metasploit, anyone with a mouse and keyboard can click their way to root access.
This year, I’ve been writing some tooling for Python code analysis. This includes Wily, a code-complexity analyzer, and PyCharm Security, a secure-code analysis plugin for PyCharm. They both share the same goal, which is to improve the quality and security of code with as little performance cost as possible.
As with testing, the easiest time to fix a bug is when it’s being written! PyCharm Security analyzes your code as you’re typing into PyCharm and highlights any security vulnerabilities you may be introducing. It comes with a big documentation site that explains why these vulnerabilities exist and how you can fix them. In cases where it’s an obvious change, PyCharm can do the refactoring automatically.
It’s not a career change. I’m just interested in the topic and passionate about developers learning to write secure and maintainable software.
Ricky: As much as these interviews are about personal stories from members of the community, I also try to leave our readers with something actionable they can take away and apply to their code. So with that in mind, what security tips can you give that most people might not be aware of?
Anthony: I have a list of ten if you have the time to read them! The big one for Python is deserialization.
Both the pickle
library and the pyYAML
library come with logic to allow custom deserialization procedures. This means an attacker can embed any Python code in YAML or pickled files, including code to add a root user to your production server or steal your database. These are documented issues but not common knowledge.
Ricky: It’s no secret that you’re not only a tutorial author here at Real Python but also the author of the new CPython Internals book. What are you hoping people will get out of the book when they read it? Did you learn anything while writing that surprised you about the language or that you thought you already had a grasp on but didn’t?
Anthony: What I’m hoping is that the reader can take something seemingly complicated like the CPython compiler, break it down into small pieces, and relate it to concepts they know or can learn. I want them to not only understand it but harness it and build on it. If just one person reads the book and contributes to the CPython project, then that’ll be a huge win.
I’ve received a number of messages from readers of the early access edition. They’ve shared their excitement at recompiling their own custom CPython compiler and with some of the examples in the book. These are things that many developers think are beyond their skill level, but they’re not.
One big thing I learned when writing the book is how all the parallelism and concurrency implementations—and there are quite a few!—work in CPython. Async was always a bit of a mysterious black box to me, and I didn’t use it much before writing the book because I didn’t know how it worked and implicitly didn’t trust it.
After exploring the concepts and the building blocks that lead to the async
and await
keywords, like generators and coroutines, async makes absolute sense. I’ve since used it to improve the performance of some applications.
Ricky: You’ve talked at a few PyCons to date, but the one I’m most curious about is your last talk at PyCon Africa, titled “Standing Out in a World of 20 Million Developers.” What inspired you to give that talk, and what advice do you frequently give to developers of any level?
Anthony: What inspired me to give that talk was seeing so many beginner developers struggling to get the job they wanted. I’ve interviewed a lot of software developers and coached many as well. One piece of advice I give is to go deep in your knowledge of one or two topics. Go broad and shallow on other topics.
Don’t be a jack-of-all-trades, but don’t be a one-trick pony, either. Try to be really knowledgeable about two things, like PyTorch and GPU acceleration, Django and PostgreSQL, or Vue.js and Jinja. Learn just enough about other topics and technologies to be unafraid to work with them. Learn about SQL, JavaScript, HTML, CSS, MLPs.
You don’t need to be an expert on everything, but if you can apply yourself to a diverse range of problems, then you’ll be more successful.
Ricky: Now just a few last questions. What else do you get up to in your spare time? What other hobbies and interests do you have aside from Python and programming?
Anthony: I enjoy being at the beach, which is a five-minute walk away. So for six months of the year, you’ll find me in or by the ocean. For the rest of the year, I love building things with my hands. It’s a lot cooler here in Australia during winter, so I’ll be doing a lot of DIY projects.
Ricky: Thank you for joining me, Anthony, and best of luck with the book release.
If you’d like to get in touch with Anthony about anything we’ve talked about today, then you can reach out to him on Twitter. If you’d like to delve deeper into CPython and learn how it works under the hood, then you can grab a copy of the CPython Internals book.
If there’s someone in the Python community that you’d like me to interview, then leave a comment below or reach out to me on Twitter. Happy coding!