SlideShare a Scribd company logo
1 of 26
Download to read offline
Confidential & proprietary © Sqreen, 2015
Tune your app perf

(and get fit for summer)
We make products antifragile
© Sqreensqreen.io
Jean-Baptiste Aviat
CTO @SqreenIO (https://sqreen.io)
Former hacker at

Apple (Red Team)
@JbAviat
jb@sqreen.io
Confidential & proprietary © Sqreen, 2015
– Donald Knuth
“Premature optimization is the
root of all evil.”
Confidential & proprietary © Sqreen, 2015sqreen.io
« We don’t have bugs. »
« Or maybe one… »
« Okay, beta are done for that! »
Confidential & proprietary © Sqreen, 2015sqreen.io
Sqreen behind the scenes
Examine the environment
Run code specific to the class of vulnerability
Log security events
Automatically check for Sqreen

security rules updates

While keeping the app fast.
Confidential & proprietary © Sqreen, 2015sqreen.io
HTTP request anatomy
DB Cache
QueryQuery
JSON
request response
Services
Rails server
Client
Rails app code
Confidential & proprietary © Sqreen, 2015sqreen.io
HTTP request with Sqreen
QueryQuery
DB Cache
JSON
Services
Rails server
Client
Sqreen code
request response
Rails app code
Confidential & proprietary © Sqreen, 2015sqreen.io
Attack blocked by Sqreen
Attack Error
Query
Sqreen backend
Log

event
DB CacheServices
Rails server
Client
Sqreen code
Rails app code
Confidential & proprietary © Sqreen, 2015sqreen.io
Thanks early adopters, we owe you one!
Our beta customers raised different concerns:
1. Average response time
2. CPU consumption (mostly machine facing APIs)
3. Memory usage
4. Bandwidth
Confidential & proprietary © Sqreen, 2015sqreen.io
Endless path to perf optimization
Know what you are looking for
Measure: understand precisely

what need change
Pareto law: 80% of execution time

is spent in 20% of your code
Change: just code it
Evaluate: compare to previous measures
Start over.
Change
Evaluate
Measure
Confidential & proprietary © Sqreen, 2015
What about our Gem?
Confidential & proprietary © Sqreen, 2015sqreen.io
Sqreen code executed during a client request:
doesn’t use network
doesn’t interact with filesystem
The decision to block is made in the application
Back-end communication is performed in a dedicated
thread
Request processing
Query
Confidential & proprietary © Sqreen, 2015sqreen.io
Asynchronous by design
Sqreen
worker
Rails threads Sqreen thread
request response
Rails server
Sqreen backend
Sqreen code
Rails / app code
Confidential & proprietary © Sqreen, 2015sqreen.io
156ms
Asynchronism benefits
+ X ms
+ XX %
time
150ms
225ms
+ 0 %
Default Dumb
0ms
+ 4 %
Sqreen
Confidential & proprietary © Sqreen, 2015sqreen.io
Reduce I/O
Bandwith
Memory
Requests
AggregateStrip Required? I/O
Confidential & proprietary © Sqreen, 2015sqreen.io
ExecJS call time
ExecJS allows many
runtimes:
V8 (close to Pure Ruby)
JSCore (OSX only)
Node (ExecJS runs the
Node binary)
miliseconds
0
17,5
35
52,5
70
Pure Ruby V8 JSCore

(OSX)
Node
Confidential & proprietary © Sqreen, 2015sqreen.io
ExecJS memory usage
Low memory usage
But it leaks!
@samsaffron helped a lot
Can be solved using

context recycling
ExecJS should be 

reset regularly
memory(MB)
0
175
350
525
700
seconds
0 150 300 450 600
Confidential & proprietary © Sqreen, 2015sqreen.io
Optimize ExecJS use
Reduce ExecJS spawn time
Precompile everything
Spawn ExecJS as less as possible
We introduced pure Ruby pre-conditions
Now the decision to call ExecJS is taken in Ruby
Confidential & proprietary © Sqreen, 2015sqreen.io
Minimize ExecJS overhead
Perform analysis only on
requests using a risky API
Pick relevant methods
The JS engine is spawned
and performs further
analysis
Analyze
Check if the API uses
arguments that can be
vulnerable
Validate exposure
If there is a security risk,
we block the request and
alert our back-end
Alert & block
if method.include?(watch_methods)
if method_arg.include?(parameters)
if ExecJS.is_an_attack?
tell_thread_to_record_alert
block_this_request
end
end
end
Confidential & proprietary © Sqreen, 2015sqreen.io
Mem
I/O
CPU
Band-
width
Reducing memory usage
leads to smaller objects to
be treated, faster garbage
collection
Memory
Reducing CPU usage leads
to overall faster process
CPU
Less bandwidth means less
server occupation and leads
to faster responses
Bandwidth
Reducing I/O reduces time
needed for tasks
I/O
Virtuous circle of optimization
Confidential & proprietary © Sqreen, 2015sqreen.io
Benefits of multithreading
144%
(over dumb implementation)
Confidential & proprietary © Sqreen, 2015sqreen.io
-1000%
Benefits of V8
(over Node runtime)
Confidential & proprietary © Sqreen, 2015sqreen.io
reduce
leaks
Benefits of recycling ExecJS context
(garbage collection, overall memory usage…)
Confidential & proprietary © Sqreen, 2015sqreen.io


just
faster :)
Benefits of pre-condition
(less context recycling, less context switch…)
Confidential & proprietary © Sqreen, 2015sqreen.io
Client perf is not all about client
How to reduce I/O time without changing the client?
The exposed APIs need to respond faster
We are applying the same method to our back-end
Confidential & proprietary © Sqreen, 2015sqreen.io
Set up your feedback loop
Now, you should to monitor 

your performances (automatically)!
And do the same with Security ;)
Keep on coding…

More Related Content

What's hot

What's hot (20)

Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
 
Signal r core workshop - netconf
Signal r core workshop - netconf Signal r core workshop - netconf
Signal r core workshop - netconf
 
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and  Moshe Ferber - from zero to secure in 1DEFCON 23 - Nir Valtman and  Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Cloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minuteCloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minute
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)
 
Incapsula D3 - A Single Source of Truth for Security Issues - Pushing Siem L...
Incapsula  D3 - A Single Source of Truth for Security Issues - Pushing Siem L...Incapsula  D3 - A Single Source of Truth for Security Issues - Pushing Siem L...
Incapsula D3 - A Single Source of Truth for Security Issues - Pushing Siem L...
 
Mitigate Security Threats with SIEM
Mitigate Security Threats with SIEMMitigate Security Threats with SIEM
Mitigate Security Threats with SIEM
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)
 
Better Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerBetter Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend Server
 
Lessons from running AppSync in prod
Lessons from running AppSync in prodLessons from running AppSync in prod
Lessons from running AppSync in prod
 
10 things you can do at the edge
10 things you can do at the edge10 things you can do at the edge
10 things you can do at the edge
 
Customer Story: Property Partner
Customer Story: Property PartnerCustomer Story: Property Partner
Customer Story: Property Partner
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test Automation
 
Ignite Denver - Robots!
Ignite Denver - Robots!Ignite Denver - Robots!
Ignite Denver - Robots!
 
Empower every Azure Function to achieve more!!
Empower every Azure Function to achieve more!!Empower every Azure Function to achieve more!!
Empower every Azure Function to achieve more!!
 

Viewers also liked

ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing MapsESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing Maps
Diogo Mónica
 

Viewers also liked (20)

NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDB
 
Bletchley
BletchleyBletchley
Bletchley
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
 
PhD Thesis Diogo Mónica
PhD Thesis Diogo MónicaPhD Thesis Diogo Mónica
PhD Thesis Diogo Mónica
 
An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijacking
 
WiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detectionWiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detection
 
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc NetworksObservable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
 
MultiPath TCP - The path to multipath
MultiPath TCP - The path to multipathMultiPath TCP - The path to multipath
MultiPath TCP - The path to multipath
 
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial WorldSecure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
 
ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing MapsESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing Maps
 
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityWeb Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
How to-use-buffer-by-ella
How to-use-buffer-by-ellaHow to-use-buffer-by-ella
How to-use-buffer-by-ella
 
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensFrom Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
SteadyBudget's Seed Funding Pitch Deck
SteadyBudget's Seed Funding Pitch DeckSteadyBudget's Seed Funding Pitch Deck
SteadyBudget's Seed Funding Pitch Deck
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
 

Similar to Tune your App Perf (and get fit for summer)

Similar to Tune your App Perf (and get fit for summer) (20)

AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
 
Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
 Delivering Java Applications? Ensure Top Performance Every Time, with Intell... Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
 
Monitoring for Operational Outcomes and Application Insights: Best Practices ...
Monitoring for Operational Outcomes and Application Insights: Best Practices ...Monitoring for Operational Outcomes and Application Insights: Best Practices ...
Monitoring for Operational Outcomes and Application Insights: Best Practices ...
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
 

Recently uploaded

Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Marc Lester
 

Recently uploaded (20)

architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Sourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerSourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing Manufacturer
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
Malaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMalaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptx
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 

Tune your App Perf (and get fit for summer)

  • 1. Confidential & proprietary © Sqreen, 2015 Tune your app perf
 (and get fit for summer) We make products antifragile
  • 2. © Sqreensqreen.io Jean-Baptiste Aviat CTO @SqreenIO (https://sqreen.io) Former hacker at
 Apple (Red Team) @JbAviat jb@sqreen.io
  • 3. Confidential & proprietary © Sqreen, 2015 – Donald Knuth “Premature optimization is the root of all evil.”
  • 4. Confidential & proprietary © Sqreen, 2015sqreen.io « We don’t have bugs. » « Or maybe one… » « Okay, beta are done for that! »
  • 5. Confidential & proprietary © Sqreen, 2015sqreen.io Sqreen behind the scenes Examine the environment Run code specific to the class of vulnerability Log security events Automatically check for Sqreen
 security rules updates
 While keeping the app fast.
  • 6. Confidential & proprietary © Sqreen, 2015sqreen.io HTTP request anatomy DB Cache QueryQuery JSON request response Services Rails server Client Rails app code
  • 7. Confidential & proprietary © Sqreen, 2015sqreen.io HTTP request with Sqreen QueryQuery DB Cache JSON Services Rails server Client Sqreen code request response Rails app code
  • 8. Confidential & proprietary © Sqreen, 2015sqreen.io Attack blocked by Sqreen Attack Error Query Sqreen backend Log
 event DB CacheServices Rails server Client Sqreen code Rails app code
  • 9. Confidential & proprietary © Sqreen, 2015sqreen.io Thanks early adopters, we owe you one! Our beta customers raised different concerns: 1. Average response time 2. CPU consumption (mostly machine facing APIs) 3. Memory usage 4. Bandwidth
  • 10. Confidential & proprietary © Sqreen, 2015sqreen.io Endless path to perf optimization Know what you are looking for Measure: understand precisely
 what need change Pareto law: 80% of execution time
 is spent in 20% of your code Change: just code it Evaluate: compare to previous measures Start over. Change Evaluate Measure
  • 11. Confidential & proprietary © Sqreen, 2015 What about our Gem?
  • 12. Confidential & proprietary © Sqreen, 2015sqreen.io Sqreen code executed during a client request: doesn’t use network doesn’t interact with filesystem The decision to block is made in the application Back-end communication is performed in a dedicated thread Request processing Query
  • 13. Confidential & proprietary © Sqreen, 2015sqreen.io Asynchronous by design Sqreen worker Rails threads Sqreen thread request response Rails server Sqreen backend Sqreen code Rails / app code
  • 14. Confidential & proprietary © Sqreen, 2015sqreen.io 156ms Asynchronism benefits + X ms + XX % time 150ms 225ms + 0 % Default Dumb 0ms + 4 % Sqreen
  • 15. Confidential & proprietary © Sqreen, 2015sqreen.io Reduce I/O Bandwith Memory Requests AggregateStrip Required? I/O
  • 16. Confidential & proprietary © Sqreen, 2015sqreen.io ExecJS call time ExecJS allows many runtimes: V8 (close to Pure Ruby) JSCore (OSX only) Node (ExecJS runs the Node binary) miliseconds 0 17,5 35 52,5 70 Pure Ruby V8 JSCore (OSX) Node
  • 17. Confidential & proprietary © Sqreen, 2015sqreen.io ExecJS memory usage Low memory usage But it leaks! @samsaffron helped a lot Can be solved using
 context recycling ExecJS should be 
 reset regularly memory(MB) 0 175 350 525 700 seconds 0 150 300 450 600
  • 18. Confidential & proprietary © Sqreen, 2015sqreen.io Optimize ExecJS use Reduce ExecJS spawn time Precompile everything Spawn ExecJS as less as possible We introduced pure Ruby pre-conditions Now the decision to call ExecJS is taken in Ruby
  • 19. Confidential & proprietary © Sqreen, 2015sqreen.io Minimize ExecJS overhead Perform analysis only on requests using a risky API Pick relevant methods The JS engine is spawned and performs further analysis Analyze Check if the API uses arguments that can be vulnerable Validate exposure If there is a security risk, we block the request and alert our back-end Alert & block if method.include?(watch_methods) if method_arg.include?(parameters) if ExecJS.is_an_attack? tell_thread_to_record_alert block_this_request end end end
  • 20. Confidential & proprietary © Sqreen, 2015sqreen.io Mem I/O CPU Band- width Reducing memory usage leads to smaller objects to be treated, faster garbage collection Memory Reducing CPU usage leads to overall faster process CPU Less bandwidth means less server occupation and leads to faster responses Bandwidth Reducing I/O reduces time needed for tasks I/O Virtuous circle of optimization
  • 21. Confidential & proprietary © Sqreen, 2015sqreen.io Benefits of multithreading 144% (over dumb implementation)
  • 22. Confidential & proprietary © Sqreen, 2015sqreen.io -1000% Benefits of V8 (over Node runtime)
  • 23. Confidential & proprietary © Sqreen, 2015sqreen.io reduce leaks Benefits of recycling ExecJS context (garbage collection, overall memory usage…)
  • 24. Confidential & proprietary © Sqreen, 2015sqreen.io 
 just faster :) Benefits of pre-condition (less context recycling, less context switch…)
  • 25. Confidential & proprietary © Sqreen, 2015sqreen.io Client perf is not all about client How to reduce I/O time without changing the client? The exposed APIs need to respond faster We are applying the same method to our back-end
  • 26. Confidential & proprietary © Sqreen, 2015sqreen.io Set up your feedback loop Now, you should to monitor 
 your performances (automatically)! And do the same with Security ;) Keep on coding…