Computing in the cloud is fashionable and in many cases extremely cost-effective. But - considering a flawed execution model of rich Web 2.0 applications - will Web applications in the cloud fail to live up to the promise due to performance and security issues?
In this presentation - I discuss security and performance issues of Web 2.0 apps in the cloud and talk about the kind of mistakes people make.
I wrap up with some thoughts on the game changers
Six Myths about Ontologies: The Basics of Formal Ontology
Will Web 2.0 applications break the cloud?
1. Rich Web applications 2011
Crashing in the cloud
Danny Lieberman
dannyl@software.co.il
http://www.software.co.il/wordpress/
Copyright Creative Commons Attribution License by Danny Lieberman
5. Cloud and the “security problem”
Why is security so hard to sell today?
Complex
Hard to understand
Economic benefit to business unclear
6. Cloud and the “security problem”
Computing as a utility
– Simple
– Easy to measure economic benefit
– Security is built-in
7. Cloud and the “security problem”
The good news
– The Tier 1 providers are better at security
than you or me
The bad news
– You still have application software
– Just with a bigger threat surface
9. The top 3 mistakes CIOS make
No knowing how much your assets are worth
asset.val()== undefined
Writing procedures while attackers exploit
your software
$p != security.software
Confusing compliance with
data security
$c != security.data
10. Rich Web 2.0 applications 2011
2-5 languages
Server stack Message passing in the UI
PC Browser Smartphone Device
3-5 languages
Message passing in the UI
11. Message passing in the UI?
Very bad idea.
Worst dressed at BET Awards 2010
12. Rich Web 2.0 entry points
DB Servers
Interfaces
Server stack PHP, C#, Ruby, J2EE
HTML/Javascript/CSS
Web servers
HTML
XML
PC CSS
Browser Smartphone Device
Javascript
Java
Flash
13. Rich Web 2.0 attack scenarios
Any kind of code injection
Server or client returns invalid HTML
Pages contain dead links
HTML forms don't match field types expected by controllers
Client side makes bad assumptions about AJAX services
Server may attempt to execute invalid SQL queries
Improper marshaling/un-marshaling
– DB server to Web server
– DB server to application tier
– Web server to browser
14. Rich Web 2.0 vulnerabilities
Heterogeneous stacks
– Too much chewing gum
PHP, Ruby, Python
– Flexibility, no static type guarantees
C#, Java
– Static typed, but only at Web server
– Code complexity increases threat surface
Redundant code on servers and clients
Redundant data on servers and clients
Client-server latency
– Slow HTTP POST attacks
16. Security summary
Security Control model looks great
But doesn't mitigate core vulnerabilities
Typing issues
Interface issues
Redundant code, data and tiers
Client-server latency
17. Performance - time is money
Amazon.com
100 ms of latency costs Amazon 1% of sales
(http://highscalability.com)
Google.com
500ms delay in delivery is a 20% drop in
traffic
(Google VP Marissa Mayer)
Competing stock trading platforms
5ms delay is $4M in losses / ms.
18. Web servers 2011
Browser opens
connection.
Server forks a thread
for each connection,
using blocking IO.
Ajax latency:
200-600ms
19. Hardware 2011
What about multiple-processor
concurrency?
Threads don't scale well with multi-cores
Processes are necessary to scale to multi-
core computers, not memory-sharing
threads.
20. Threads are a bad idea
The mixture of threads and modern multi-
core systems add up to some serious race
condition potential.
http://blogs.msdn.com/b/david_leblanc/archive/2007/04/19/why-threads-are-a-bad-idea.aspx
Thread-based networking is inefficient and
very difficult to use.
http://www.kegel.com/c10k.html and http://bulk.fefe.de/scalable-networking.pdf
21. The future of apps in the cloud
The fundamentals of scalable systems are
fast networking and non-blocking design—
.The fundamentals of scalable systems are fast networking and non-blocking design—the rest is message passing
the rest is message passing.
3 technologies will be game changers,I think...
●
Web sockets
●
Node JS
●
Couch DB
22. The future of apps in the cloud
Web sockets
Open a connection to Web
server
It stays open
Pass messages
Eliminates at least 2
processes for every
connection.
(Browser-Server &
Server-Database)
Low Latency:
20-60ms instead of
200-600ms
23. The future of apps in the cloud
Node.js
Javascript on
client and server
No threads
No blocks or locks
UI is HTML & CSS
Asynchronous
message passing
with Web sockets
24. The future of apps in the cloud
CouchDB
Application served out of CouchDB
CouchApp lives in the browser.
No middle tier
Javascript on client and server
UI is HTML & CSS
CouchDB uses Ajax to shove
JSON back and forth.
CouchDB replicates on smart phones
25. Summary
Application vulnerabilities are expensive
100x more expensive to fix after implementation
Potential data loss in the cloud
Security controls don't come cheap
Time is money
High latency applications less responsive
Your cloud provider charges per CPU cycle
Your costs go up, revenue goes down
Promising new technologies
No middle/data tiers, reduced threat surface
10x lower latency
Your costs go down, revenue goes up.