SlideShare a Scribd company logo
1 of 26
Download to read offline
Confidential & proprietary © Sqreen, 2015
Tune your app perf

(and get fit for summer)
We make products antifragile
© Sqreensqreen.io
Jean-Baptiste Aviat
CTO @SqreenIO (https://sqreen.io)
Former hacker at

Apple (Red Team)
@JbAviat
jb@sqreen.io
Confidential & proprietary © Sqreen, 2015
– Donald Knuth
“Premature optimization is the
root of all evil.”
Confidential & proprietary © Sqreen, 2015sqreen.io
« We don’t have bugs. »
« Or maybe one… »
« Okay, beta are done for that! »
Confidential & proprietary © Sqreen, 2015sqreen.io
Sqreen behind the scenes
Examine the environment
Run code specific to the class of vulnerability
Log security events
Automatically check for Sqreen

security rules updates

While keeping the app fast.
Confidential & proprietary © Sqreen, 2015sqreen.io
HTTP request anatomy
DB Cache
QueryQuery
JSON
request response
Services
Rails server
Client
Rails app code
Confidential & proprietary © Sqreen, 2015sqreen.io
HTTP request with Sqreen
QueryQuery
DB Cache
JSON
Services
Rails server
Client
Sqreen code
request response
Rails app code
Confidential & proprietary © Sqreen, 2015sqreen.io
Attack blocked by Sqreen
Attack Error
Query
Sqreen backend
Log

event
DB CacheServices
Rails server
Client
Sqreen code
Rails app code
Confidential & proprietary © Sqreen, 2015sqreen.io
Thanks early adopters, we owe you one!
Our beta customers raised different concerns:
1. Average response time
2. CPU consumption (mostly machine facing APIs)
3. Memory usage
4. Bandwidth
Confidential & proprietary © Sqreen, 2015sqreen.io
Endless path to perf optimization
Know what you are looking for
Measure: understand precisely

what need change
Pareto law: 80% of execution time

is spent in 20% of your code
Change: just code it
Evaluate: compare to previous measures
Start over.
Change
Evaluate
Measure
Confidential & proprietary © Sqreen, 2015
What about our Gem?
Confidential & proprietary © Sqreen, 2015sqreen.io
Sqreen code executed during a client request:
doesn’t use network
doesn’t interact with filesystem
The decision to block is made in the application
Back-end communication is performed in a dedicated
thread
Request processing
Query
Confidential & proprietary © Sqreen, 2015sqreen.io
Asynchronous by design
Sqreen
worker
Rails threads Sqreen thread
request response
Rails server
Sqreen backend
Sqreen code
Rails / app code
Confidential & proprietary © Sqreen, 2015sqreen.io
156ms
Asynchronism benefits
+ X ms
+ XX %
time
150ms
225ms
+ 0 %
Default Dumb
0ms
+ 4 %
Sqreen
Confidential & proprietary © Sqreen, 2015sqreen.io
Reduce I/O
Bandwith
Memory
Requests
AggregateStrip Required? I/O
Confidential & proprietary © Sqreen, 2015sqreen.io
ExecJS call time
ExecJS allows many
runtimes:
V8 (close to Pure Ruby)
JSCore (OSX only)
Node (ExecJS runs the
Node binary)
miliseconds
0
17,5
35
52,5
70
Pure Ruby V8 JSCore

(OSX)
Node
Confidential & proprietary © Sqreen, 2015sqreen.io
ExecJS memory usage
Low memory usage
But it leaks!
@samsaffron helped a lot
Can be solved using

context recycling
ExecJS should be 

reset regularly
memory(MB)
0
175
350
525
700
seconds
0 150 300 450 600
Confidential & proprietary © Sqreen, 2015sqreen.io
Optimize ExecJS use
Reduce ExecJS spawn time
Precompile everything
Spawn ExecJS as less as possible
We introduced pure Ruby pre-conditions
Now the decision to call ExecJS is taken in Ruby
Confidential & proprietary © Sqreen, 2015sqreen.io
Minimize ExecJS overhead
Perform analysis only on
requests using a risky API
Pick relevant methods
The JS engine is spawned
and performs further
analysis
Analyze
Check if the API uses
arguments that can be
vulnerable
Validate exposure
If there is a security risk,
we block the request and
alert our back-end
Alert & block
if method.include?(watch_methods)
if method_arg.include?(parameters)
if ExecJS.is_an_attack?
tell_thread_to_record_alert
block_this_request
end
end
end
Confidential & proprietary © Sqreen, 2015sqreen.io
Mem
I/O
CPU
Band-
width
Reducing memory usage
leads to smaller objects to
be treated, faster garbage
collection
Memory
Reducing CPU usage leads
to overall faster process
CPU
Less bandwidth means less
server occupation and leads
to faster responses
Bandwidth
Reducing I/O reduces time
needed for tasks
I/O
Virtuous circle of optimization
Confidential & proprietary © Sqreen, 2015sqreen.io
Benefits of multithreading
144%
(over dumb implementation)
Confidential & proprietary © Sqreen, 2015sqreen.io
-1000%
Benefits of V8
(over Node runtime)
Confidential & proprietary © Sqreen, 2015sqreen.io
reduce
leaks
Benefits of recycling ExecJS context
(garbage collection, overall memory usage…)
Confidential & proprietary © Sqreen, 2015sqreen.io


just
faster :)
Benefits of pre-condition
(less context recycling, less context switch…)
Confidential & proprietary © Sqreen, 2015sqreen.io
Client perf is not all about client
How to reduce I/O time without changing the client?
The exposed APIs need to respond faster
We are applying the same method to our back-end
Confidential & proprietary © Sqreen, 2015sqreen.io
Set up your feedback loop
Now, you should to monitor 

your performances (automatically)!
And do the same with Security ;)
Keep on coding…

More Related Content

What's hot

Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenSonatype
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and  Moshe Ferber - from zero to secure in 1DEFCON 23 - Nir Valtman and  Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1Felipe Prado
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Cloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minuteCloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minuteIsrael AWS User Group
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Guy Podjarny
 
Incapsula D3 - A Single Source of Truth for Security Issues - Pushing Siem L...
Incapsula  D3 - A Single Source of Truth for Security Issues - Pushing Siem L...Incapsula  D3 - A Single Source of Truth for Security Issues - Pushing Siem L...
Incapsula D3 - A Single Source of Truth for Security Issues - Pushing Siem L...Tirza DiOro
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)Radu Vunvulea
 
Better Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerBetter Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerZend by Rogue Wave Software
 
Lessons from running AppSync in prod
Lessons from running AppSync in prodLessons from running AppSync in prod
Lessons from running AppSync in prodYan Cui
 
Customer Story: Property Partner
Customer Story: Property PartnerCustomer Story: Property Partner
Customer Story: Property PartnerAmazon Web Services
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test AutomationMatthew Valdes
 
Empower every Azure Function to achieve more!!
Empower every Azure Function to achieve more!!Empower every Azure Function to achieve more!!
Empower every Azure Function to achieve more!!Massimo Bonanni
 

What's hot (20)

Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
 
Signal r core workshop - netconf
Signal r core workshop - netconf Signal r core workshop - netconf
Signal r core workshop - netconf
 
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and  Moshe Ferber - from zero to secure in 1DEFCON 23 - Nir Valtman and  Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Cloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minuteCloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minute
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)
 
Incapsula D3 - A Single Source of Truth for Security Issues - Pushing Siem L...
Incapsula  D3 - A Single Source of Truth for Security Issues - Pushing Siem L...Incapsula  D3 - A Single Source of Truth for Security Issues - Pushing Siem L...
Incapsula D3 - A Single Source of Truth for Security Issues - Pushing Siem L...
 
Mitigate Security Threats with SIEM
Mitigate Security Threats with SIEMMitigate Security Threats with SIEM
Mitigate Security Threats with SIEM
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)
 
Better Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerBetter Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend Server
 
Lessons from running AppSync in prod
Lessons from running AppSync in prodLessons from running AppSync in prod
Lessons from running AppSync in prod
 
10 things you can do at the edge
10 things you can do at the edge10 things you can do at the edge
10 things you can do at the edge
 
Customer Story: Property Partner
Customer Story: Property PartnerCustomer Story: Property Partner
Customer Story: Property Partner
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test Automation
 
Ignite Denver - Robots!
Ignite Denver - Robots!Ignite Denver - Robots!
Ignite Denver - Robots!
 
Empower every Azure Function to achieve more!!
Empower every Azure Function to achieve more!!Empower every Azure Function to achieve more!!
Empower every Azure Function to achieve more!!
 

Viewers also liked

NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBSqreen
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsDiogo Mónica
 
PhD Thesis Diogo Mónica
PhD Thesis Diogo MónicaPhD Thesis Diogo Mónica
PhD Thesis Diogo MónicaDiogo Mónica
 
An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijackingDiogo Mónica
 
WiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detectionWiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detectionDiogo Mónica
 
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc NetworksObservable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc NetworksDiogo Mónica
 
MultiPath TCP - The path to multipath
MultiPath TCP - The path to multipathMultiPath TCP - The path to multipath
MultiPath TCP - The path to multipathDiogo Mónica
 
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial WorldSecure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial WorldDiogo Mónica
 
ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing MapsESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing MapsDiogo Mónica
 
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityWeb Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityDiogo Mónica
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensFrom Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensWe Are Social Singapore
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Amazon Web Services
 
7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenecEugene Cheng
 

Viewers also liked (20)

NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDB
 
Bletchley
BletchleyBletchley
Bletchley
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
 
PhD Thesis Diogo Mónica
PhD Thesis Diogo MónicaPhD Thesis Diogo Mónica
PhD Thesis Diogo Mónica
 
An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijacking
 
WiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detectionWiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detection
 
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc NetworksObservable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
 
MultiPath TCP - The path to multipath
MultiPath TCP - The path to multipathMultiPath TCP - The path to multipath
MultiPath TCP - The path to multipath
 
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial WorldSecure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
 
ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing MapsESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing Maps
 
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityWeb Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
How to-use-buffer-by-ella
How to-use-buffer-by-ellaHow to-use-buffer-by-ella
How to-use-buffer-by-ella
 
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensFrom Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
SteadyBudget's Seed Funding Pitch Deck
SteadyBudget's Seed Funding Pitch DeckSteadyBudget's Seed Funding Pitch Deck
SteadyBudget's Seed Funding Pitch Deck
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
 

Similar to Tune your App Perf (and get fit for summer)

AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentErika Barron
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Cisco DevNet
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
 Delivering Java Applications? Ensure Top Performance Every Time, with Intell... Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
Delivering Java Applications? Ensure Top Performance Every Time, with Intell...John Williams
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)Amazon Web Services
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPQAware GmbH
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsAmazon Web Services
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 Amazon Web Services
 
(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the CloudAmazon Web Services
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...Amazon Web Services
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...Amazon Web Services Korea
 
Monitoring for Operational Outcomes and Application Insights: Best Practices ...
Monitoring for Operational Outcomes and Application Insights: Best Practices ...Monitoring for Operational Outcomes and Application Insights: Best Practices ...
Monitoring for Operational Outcomes and Application Insights: Best Practices ...Amazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything CA Technologies
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsDeborah Schalm
 

Similar to Tune your App Perf (and get fit for summer) (20)

AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
 
Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
 Delivering Java Applications? Ensure Top Performance Every Time, with Intell... Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
 
Monitoring for Operational Outcomes and Application Insights: Best Practices ...
Monitoring for Operational Outcomes and Application Insights: Best Practices ...Monitoring for Operational Outcomes and Application Insights: Best Practices ...
Monitoring for Operational Outcomes and Application Insights: Best Practices ...
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
 

Recently uploaded

Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Vectors are the new JSON in PostgreSQL (SCaLE 21x)
Vectors are the new JSON in PostgreSQL (SCaLE 21x)Vectors are the new JSON in PostgreSQL (SCaLE 21x)
Vectors are the new JSON in PostgreSQL (SCaLE 21x)Jonathan Katz
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
The Crypto Code WaveBot Automated Crypto Trading for Consistent Profits
The Crypto Code WaveBot Automated Crypto Trading for Consistent ProfitsThe Crypto Code WaveBot Automated Crypto Trading for Consistent Profits
The Crypto Code WaveBot Automated Crypto Trading for Consistent ProfitsJames Euan en
 
Use a Referral Program to Get 1 Million Users Waiting To Try Your App Before ...
Use a Referral Program to Get 1 Million Users Waiting To Try Your App Before ...Use a Referral Program to Get 1 Million Users Waiting To Try Your App Before ...
Use a Referral Program to Get 1 Million Users Waiting To Try Your App Before ...Flyyx Tech
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
How to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS SoftwareHow to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS SoftwareNYGGS Automation Suite
 
New ThousandEyes Product Features and Release Highlights: March 2024
New ThousandEyes Product Features and Release Highlights: March 2024New ThousandEyes Product Features and Release Highlights: March 2024
New ThousandEyes Product Features and Release Highlights: March 2024ThousandEyes
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Rebuilding Your Cloud Native Community Lessons learned from Stardew Valley
Rebuilding Your Cloud Native Community Lessons learned from Stardew ValleyRebuilding Your Cloud Native Community Lessons learned from Stardew Valley
Rebuilding Your Cloud Native Community Lessons learned from Stardew ValleyImma Valls Bernaus
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
Rejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainRejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainŁukasz Piątkowski
 
React 19: Revolutionizing Web Development
React 19: Revolutionizing Web DevelopmentReact 19: Revolutionizing Web Development
React 19: Revolutionizing Web DevelopmentBOSC Tech Labs
 

Recently uploaded (20)

Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Vectors are the new JSON in PostgreSQL (SCaLE 21x)
Vectors are the new JSON in PostgreSQL (SCaLE 21x)Vectors are the new JSON in PostgreSQL (SCaLE 21x)
Vectors are the new JSON in PostgreSQL (SCaLE 21x)
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
The Crypto Code WaveBot Automated Crypto Trading for Consistent Profits
The Crypto Code WaveBot Automated Crypto Trading for Consistent ProfitsThe Crypto Code WaveBot Automated Crypto Trading for Consistent Profits
The Crypto Code WaveBot Automated Crypto Trading for Consistent Profits
 
Use a Referral Program to Get 1 Million Users Waiting To Try Your App Before ...
Use a Referral Program to Get 1 Million Users Waiting To Try Your App Before ...Use a Referral Program to Get 1 Million Users Waiting To Try Your App Before ...
Use a Referral Program to Get 1 Million Users Waiting To Try Your App Before ...
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
How to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS SoftwareHow to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS Software
 
New ThousandEyes Product Features and Release Highlights: March 2024
New ThousandEyes Product Features and Release Highlights: March 2024New ThousandEyes Product Features and Release Highlights: March 2024
New ThousandEyes Product Features and Release Highlights: March 2024
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Rebuilding Your Cloud Native Community Lessons learned from Stardew Valley
Rebuilding Your Cloud Native Community Lessons learned from Stardew ValleyRebuilding Your Cloud Native Community Lessons learned from Stardew Valley
Rebuilding Your Cloud Native Community Lessons learned from Stardew Valley
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
Rejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainRejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform Gain
 
React 19: Revolutionizing Web Development
React 19: Revolutionizing Web DevelopmentReact 19: Revolutionizing Web Development
React 19: Revolutionizing Web Development
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 

Tune your App Perf (and get fit for summer)

  • 1. Confidential & proprietary © Sqreen, 2015 Tune your app perf
 (and get fit for summer) We make products antifragile
  • 2. © Sqreensqreen.io Jean-Baptiste Aviat CTO @SqreenIO (https://sqreen.io) Former hacker at
 Apple (Red Team) @JbAviat jb@sqreen.io
  • 3. Confidential & proprietary © Sqreen, 2015 – Donald Knuth “Premature optimization is the root of all evil.”
  • 4. Confidential & proprietary © Sqreen, 2015sqreen.io « We don’t have bugs. » « Or maybe one… » « Okay, beta are done for that! »
  • 5. Confidential & proprietary © Sqreen, 2015sqreen.io Sqreen behind the scenes Examine the environment Run code specific to the class of vulnerability Log security events Automatically check for Sqreen
 security rules updates
 While keeping the app fast.
  • 6. Confidential & proprietary © Sqreen, 2015sqreen.io HTTP request anatomy DB Cache QueryQuery JSON request response Services Rails server Client Rails app code
  • 7. Confidential & proprietary © Sqreen, 2015sqreen.io HTTP request with Sqreen QueryQuery DB Cache JSON Services Rails server Client Sqreen code request response Rails app code
  • 8. Confidential & proprietary © Sqreen, 2015sqreen.io Attack blocked by Sqreen Attack Error Query Sqreen backend Log
 event DB CacheServices Rails server Client Sqreen code Rails app code
  • 9. Confidential & proprietary © Sqreen, 2015sqreen.io Thanks early adopters, we owe you one! Our beta customers raised different concerns: 1. Average response time 2. CPU consumption (mostly machine facing APIs) 3. Memory usage 4. Bandwidth
  • 10. Confidential & proprietary © Sqreen, 2015sqreen.io Endless path to perf optimization Know what you are looking for Measure: understand precisely
 what need change Pareto law: 80% of execution time
 is spent in 20% of your code Change: just code it Evaluate: compare to previous measures Start over. Change Evaluate Measure
  • 11. Confidential & proprietary © Sqreen, 2015 What about our Gem?
  • 12. Confidential & proprietary © Sqreen, 2015sqreen.io Sqreen code executed during a client request: doesn’t use network doesn’t interact with filesystem The decision to block is made in the application Back-end communication is performed in a dedicated thread Request processing Query
  • 13. Confidential & proprietary © Sqreen, 2015sqreen.io Asynchronous by design Sqreen worker Rails threads Sqreen thread request response Rails server Sqreen backend Sqreen code Rails / app code
  • 14. Confidential & proprietary © Sqreen, 2015sqreen.io 156ms Asynchronism benefits + X ms + XX % time 150ms 225ms + 0 % Default Dumb 0ms + 4 % Sqreen
  • 15. Confidential & proprietary © Sqreen, 2015sqreen.io Reduce I/O Bandwith Memory Requests AggregateStrip Required? I/O
  • 16. Confidential & proprietary © Sqreen, 2015sqreen.io ExecJS call time ExecJS allows many runtimes: V8 (close to Pure Ruby) JSCore (OSX only) Node (ExecJS runs the Node binary) miliseconds 0 17,5 35 52,5 70 Pure Ruby V8 JSCore (OSX) Node
  • 17. Confidential & proprietary © Sqreen, 2015sqreen.io ExecJS memory usage Low memory usage But it leaks! @samsaffron helped a lot Can be solved using
 context recycling ExecJS should be 
 reset regularly memory(MB) 0 175 350 525 700 seconds 0 150 300 450 600
  • 18. Confidential & proprietary © Sqreen, 2015sqreen.io Optimize ExecJS use Reduce ExecJS spawn time Precompile everything Spawn ExecJS as less as possible We introduced pure Ruby pre-conditions Now the decision to call ExecJS is taken in Ruby
  • 19. Confidential & proprietary © Sqreen, 2015sqreen.io Minimize ExecJS overhead Perform analysis only on requests using a risky API Pick relevant methods The JS engine is spawned and performs further analysis Analyze Check if the API uses arguments that can be vulnerable Validate exposure If there is a security risk, we block the request and alert our back-end Alert & block if method.include?(watch_methods) if method_arg.include?(parameters) if ExecJS.is_an_attack? tell_thread_to_record_alert block_this_request end end end
  • 20. Confidential & proprietary © Sqreen, 2015sqreen.io Mem I/O CPU Band- width Reducing memory usage leads to smaller objects to be treated, faster garbage collection Memory Reducing CPU usage leads to overall faster process CPU Less bandwidth means less server occupation and leads to faster responses Bandwidth Reducing I/O reduces time needed for tasks I/O Virtuous circle of optimization
  • 21. Confidential & proprietary © Sqreen, 2015sqreen.io Benefits of multithreading 144% (over dumb implementation)
  • 22. Confidential & proprietary © Sqreen, 2015sqreen.io -1000% Benefits of V8 (over Node runtime)
  • 23. Confidential & proprietary © Sqreen, 2015sqreen.io reduce leaks Benefits of recycling ExecJS context (garbage collection, overall memory usage…)
  • 24. Confidential & proprietary © Sqreen, 2015sqreen.io 
 just faster :) Benefits of pre-condition (less context recycling, less context switch…)
  • 25. Confidential & proprietary © Sqreen, 2015sqreen.io Client perf is not all about client How to reduce I/O time without changing the client? The exposed APIs need to respond faster We are applying the same method to our back-end
  • 26. Confidential & proprietary © Sqreen, 2015sqreen.io Set up your feedback loop Now, you should to monitor 
 your performances (automatically)! And do the same with Security ;) Keep on coding…