A couple of weeks back, I gave a talk at PyCon US 2019, "Building reproducible Python applications for secured environments".
The main idea behind the talk is about the different kind of threats in an application which has dependencies (with regular updates) coming from various upstream projects, and also the final deployable artifact (Debian package in this case) needs to audit-able, and reproducible.
Before my talk on Saturday, I went through the whole idea and different steps we are following, with many of the PyPA (Python Packaging Authority) and other security leads in various organizations.
You can view the talk on Youtube. Feel free to give any feedback over email or Twitter.