Will Web 2.0 applications break the cloud?
0 likes323 views
The document discusses the challenges and risks associated with rich web applications in cloud computing, focusing on performance, security, and common mistakes made by CIOs. It emphasizes the high cost of application vulnerabilities and poor latency, while suggesting future technologies like web sockets, Node.js, and CouchDB as solutions to improve efficiency and reduce threat surfaces. Ultimately, the document warns that security measures are essential yet costly, and highlights the economic impact of latency on businesses.
Will Web 2.0 applications break the cloud?
- 1. Rich Web applications 2011 Crashing in the cloud Danny Lieberman dannyl@software.co.il http://www.software.co.il/wordpress/ Copyright Creative Commons Attribution License by Danny Lieberman
- 2. Course Content Preface Security Performance The future Summary
- 3. Preface Cloud computing is fashionable. Ralf Lauren Fall 2010
- 4. Preface But what about performance & security? Coco Chanel circa 1920
- 5. Cloud and the “security problem” Why is security so hard to sell today? Complex Hard to understand Economic benefit to business unclear
- 6. Cloud and the “security problem” Computing as a utility – Simple – Easy to measure economic benefit – Security is built-in
- 7. Cloud and the “security problem” The good news – The Tier 1 providers are better at security than you or me The bad news – You still have application software – Just with a bigger threat surface
- 8. The cloud threat surface CIO mistakes Application software
- 9. The top 3 mistakes CIOS make No knowing how much your assets are worth asset.val()== undefined Writing procedures while attackers exploit your software $p != security.software Confusing compliance with data security $c != security.data
- 10. Rich Web 2.0 applications 2011 2-5 languages Server stack Message passing in the UI PC Browser Smartphone Device 3-5 languages Message passing in the UI
- 11. Message passing in the UI? Very bad idea. Worst dressed at BET Awards 2010
- 12. Rich Web 2.0 entry points DB Servers Interfaces Server stack PHP, C#, Ruby, J2EE HTML/Javascript/CSS Web servers HTML XML PC CSS Browser Smartphone Device Javascript Java Flash
- 13. Rich Web 2.0 attack scenarios Any kind of code injection Server or client returns invalid HTML Pages contain dead links HTML forms don't match field types expected by controllers Client side makes bad assumptions about AJAX services Server may attempt to execute invalid SQL queries Improper marshaling/un-marshaling – DB server to Web server – DB server to application tier – Web server to browser
- 14. Rich Web 2.0 vulnerabilities Heterogeneous stacks – Too much chewing gum PHP, Ruby, Python – Flexibility, no static type guarantees C#, Java – Static typed, but only at Web server – Code complexity increases threat surface Redundant code on servers and clients Redundant data on servers and clients Client-server latency – Slow HTTP POST attacks
- 15. Cloud security reference model
- 16. Security summary Security Control model looks great But doesn't mitigate core vulnerabilities Typing issues Interface issues Redundant code, data and tiers Client-server latency
- 17. Performance - time is money Amazon.com 100 ms of latency costs Amazon 1% of sales (http://highscalability.com) Google.com 500ms delay in delivery is a 20% drop in traffic (Google VP Marissa Mayer) Competing stock trading platforms 5ms delay is $4M in losses / ms.
- 18. Web servers 2011 Browser opens connection. Server forks a thread for each connection, using blocking IO. Ajax latency: 200-600ms
- 19. Hardware 2011 What about multiple-processor concurrency? Threads don't scale well with multi-cores Processes are necessary to scale to multi- core computers, not memory-sharing threads.
- 20. Threads are a bad idea The mixture of threads and modern multi- core systems add up to some serious race condition potential. http://blogs.msdn.com/b/david_leblanc/archive/2007/04/19/why-threads-are-a-bad-idea.aspx Thread-based networking is inefficient and very difficult to use. http://www.kegel.com/c10k.html and http://bulk.fefe.de/scalable-networking.pdf
- 21. The future of apps in the cloud The fundamentals of scalable systems are fast networking and non-blocking design— .The fundamentals of scalable systems are fast networking and non-blocking design—the rest is message passing the rest is message passing. 3 technologies will be game changers,I think... ● Web sockets ● Node JS ● Couch DB
- 22. The future of apps in the cloud Web sockets Open a connection to Web server It stays open Pass messages Eliminates at least 2 processes for every connection. (Browser-Server & Server-Database) Low Latency: 20-60ms instead of 200-600ms
- 23. The future of apps in the cloud Node.js Javascript on client and server No threads No blocks or locks UI is HTML & CSS Asynchronous message passing with Web sockets
- 24. The future of apps in the cloud CouchDB Application served out of CouchDB CouchApp lives in the browser. No middle tier Javascript on client and server UI is HTML & CSS CouchDB uses Ajax to shove JSON back and forth. CouchDB replicates on smart phones
- 25. Summary Application vulnerabilities are expensive 100x more expensive to fix after implementation Potential data loss in the cloud Security controls don't come cheap Time is money High latency applications less responsive Your cloud provider charges per CPU cycle Your costs go up, revenue goes down Promising new technologies No middle/data tiers, reduced threat surface 10x lower latency Your costs go down, revenue goes up.