Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Tune your App Perf (and get fit for summer)

1 229 vues

Publié le

Tune your App Perf (and get fit for summer)
@SqreenIO
https://www.sqreen.io

Publié dans : Logiciels
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Tune your App Perf (and get fit for summer)

  1. 1. Confidential & proprietary © Sqreen, 2015 Tune your app perf
 (and get fit for summer) We make products antifragile
  2. 2. © Sqreensqreen.io Jean-Baptiste Aviat CTO @SqreenIO (https://sqreen.io) Former hacker at
 Apple (Red Team) @JbAviat jb@sqreen.io
  3. 3. Confidential & proprietary © Sqreen, 2015 – Donald Knuth “Premature optimization is the root of all evil.”
  4. 4. Confidential & proprietary © Sqreen, 2015sqreen.io « We don’t have bugs. » « Or maybe one… » « Okay, beta are done for that! »
  5. 5. Confidential & proprietary © Sqreen, 2015sqreen.io Sqreen behind the scenes Examine the environment Run code specific to the class of vulnerability Log security events Automatically check for Sqreen
 security rules updates
 While keeping the app fast.
  6. 6. Confidential & proprietary © Sqreen, 2015sqreen.io HTTP request anatomy DB Cache QueryQuery JSON request response Services Rails server Client Rails app code
  7. 7. Confidential & proprietary © Sqreen, 2015sqreen.io HTTP request with Sqreen QueryQuery DB Cache JSON Services Rails server Client Sqreen code request response Rails app code
  8. 8. Confidential & proprietary © Sqreen, 2015sqreen.io Attack blocked by Sqreen Attack Error Query Sqreen backend Log
 event DB CacheServices Rails server Client Sqreen code Rails app code
  9. 9. Confidential & proprietary © Sqreen, 2015sqreen.io Thanks early adopters, we owe you one! Our beta customers raised different concerns: 1. Average response time 2. CPU consumption (mostly machine facing APIs) 3. Memory usage 4. Bandwidth
  10. 10. Confidential & proprietary © Sqreen, 2015sqreen.io Endless path to perf optimization Know what you are looking for Measure: understand precisely
 what need change Pareto law: 80% of execution time
 is spent in 20% of your code Change: just code it Evaluate: compare to previous measures Start over. Change Evaluate Measure
  11. 11. Confidential & proprietary © Sqreen, 2015 What about our Gem?
  12. 12. Confidential & proprietary © Sqreen, 2015sqreen.io Sqreen code executed during a client request: doesn’t use network doesn’t interact with filesystem The decision to block is made in the application Back-end communication is performed in a dedicated thread Request processing Query
  13. 13. Confidential & proprietary © Sqreen, 2015sqreen.io Asynchronous by design Sqreen worker Rails threads Sqreen thread request response Rails server Sqreen backend Sqreen code Rails / app code
  14. 14. Confidential & proprietary © Sqreen, 2015sqreen.io 156ms Asynchronism benefits + X ms + XX % time 150ms 225ms + 0 % Default Dumb 0ms + 4 % Sqreen
  15. 15. Confidential & proprietary © Sqreen, 2015sqreen.io Reduce I/O Bandwith Memory Requests AggregateStrip Required? I/O
  16. 16. Confidential & proprietary © Sqreen, 2015sqreen.io ExecJS call time ExecJS allows many runtimes: V8 (close to Pure Ruby) JSCore (OSX only) Node (ExecJS runs the Node binary) miliseconds 0 17,5 35 52,5 70 Pure Ruby V8 JSCore (OSX) Node
  17. 17. Confidential & proprietary © Sqreen, 2015sqreen.io ExecJS memory usage Low memory usage But it leaks! @samsaffron helped a lot Can be solved using
 context recycling ExecJS should be 
 reset regularly memory(MB) 0 175 350 525 700 seconds 0 150 300 450 600
  18. 18. Confidential & proprietary © Sqreen, 2015sqreen.io Optimize ExecJS use Reduce ExecJS spawn time Precompile everything Spawn ExecJS as less as possible We introduced pure Ruby pre-conditions Now the decision to call ExecJS is taken in Ruby
  19. 19. Confidential & proprietary © Sqreen, 2015sqreen.io Minimize ExecJS overhead Perform analysis only on requests using a risky API Pick relevant methods The JS engine is spawned and performs further analysis Analyze Check if the API uses arguments that can be vulnerable Validate exposure If there is a security risk, we block the request and alert our back-end Alert & block if method.include?(watch_methods) if method_arg.include?(parameters) if ExecJS.is_an_attack? tell_thread_to_record_alert block_this_request end end end
  20. 20. Confidential & proprietary © Sqreen, 2015sqreen.io Mem I/O CPU Band- width Reducing memory usage leads to smaller objects to be treated, faster garbage collection Memory Reducing CPU usage leads to overall faster process CPU Less bandwidth means less server occupation and leads to faster responses Bandwidth Reducing I/O reduces time needed for tasks I/O Virtuous circle of optimization
  21. 21. Confidential & proprietary © Sqreen, 2015sqreen.io Benefits of multithreading 144% (over dumb implementation)
  22. 22. Confidential & proprietary © Sqreen, 2015sqreen.io -1000% Benefits of V8 (over Node runtime)
  23. 23. Confidential & proprietary © Sqreen, 2015sqreen.io reduce leaks Benefits of recycling ExecJS context (garbage collection, overall memory usage…)
  24. 24. Confidential & proprietary © Sqreen, 2015sqreen.io 
 just faster :) Benefits of pre-condition (less context recycling, less context switch…)
  25. 25. Confidential & proprietary © Sqreen, 2015sqreen.io Client perf is not all about client How to reduce I/O time without changing the client? The exposed APIs need to respond faster We are applying the same method to our back-end
  26. 26. Confidential & proprietary © Sqreen, 2015sqreen.io Set up your feedback loop Now, you should to monitor 
 your performances (automatically)! And do the same with Security ;) Keep on coding…

×