Security And Performance: A Tale Of Two Cities
0 likes3,503 views
The document discusses balancing security and performance in applications. It introduces the Joshi hierarchy of application needs which places security above performance. It then covers various aspects of security like layers, threats, secure coding practices, and security testing. It also discusses performance tuning techniques like understanding workload, optimizations at different levels, and automated performance monitoring. The key messages are that security is vital, performance is critical, but both can be achieved through practices like secure coding, optimizations, and continuous monitoring and improvement.
Security And Performance: A Tale Of Two Cities
- 2. #StrataData Strata Data Conference, London An Insight Into Intuit Founded 7,900 Employees 42M Customers 1993 IPO $4.7B Revenue 24 Locations 1983
- 3. #StrataData Strata Data Conference, London Our Mission: Powering Prosperity Around World
- 4. #StrataData Strata Data Conference, London Is Your Application Online or Data Intensive? Is This Talk For You?
- 5. #StrataData Strata Data Conference, London The Joshi Hierarchy Of Application Needs Security Performance Utility Operability Adding Value Maslow hierarchy of needs Joshihierarchy of application needs
- 6. #StrataData Strata Data Conference, London The First Step In Defense Is To Know Your Weaknesses
- 7. #StrataData Strata Data Conference, London Security Layers Physical Security: Earthquake, Flood, Fire Network Security: MIT Kerberos, TLS Platform Security: Authentication, Authorization, Audit Cloud Security: Regions, VPN, Subnet, VPC, Security Groups, ACL Data Security: Data Governance, Encryption, Key Rotations Application Security: Secure Coding, No obscurity
- 8. #StrataData Strata Data Conference, London Constant Vigilance Fix Vulnerabilities Threat Modeling Penetration Testing Spam Emails Virsues, Trojans, Worms SQL Injection Cross Site Scripting Distributed Denial of Service attacks Spoofing Deprecation Social Engineering
- 9. #StrataData Strata Data Conference, London Constant Vigilance Threat Modeling Penetration Testing http://www.cvedetails.com/vulnerabilities-by-types.php Fix Vulnerabilities
- 10. #StrataData Strata Data Conference, London Constant Vigilance Threat Modeling Penetration Testing https://security.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html Fix Vulnerabilities Open Source - Do Your Own Due Diligence
- 11. #StrataData Strata Data Conference, London Constant Vigilance Fix Vulnerabilities Penetration TestingThreat Modeling DREAD: Damage Potential, Reproducibility, Exploitability, Affected users, Discoverability
- 12. #StrataData Strata Data Conference, London Constant Vigilance Fix Vulnerabilities Threat Modeling Penetration Testing
- 13. #StrataData Strata Data Conference, London Secure By Design
- 14. #StrataData Strata Data Conference, London Security Facets Authentication Authorization Auditing EncryptionIsolation Standby ClusterKey Rotation Key And Secret Management Data Governance https://www.owasp.org/index.php/Security_by_Design_Principles
- 15. #StrataData Strata Data Conference, London Security In Practice Deployment • Regular AMI updates/patches • Ensure no access Leaks • Secure your configurations • Heed internal security bulletin Application • Ensure no cross site scripting • Ensure no memory leaks, buffer overrun • Ensure thread safety • Implement secure patterns Security Is Never “Done”, It Is a Journey.
- 16. #StrataData Strata Data Conference, London Is Your Tech Stack Secure? For a service to be business viable, it needs to be secure! Example Tech Stack Linux Hadoop 2.x AWS Services Spark Kafka Cassandra Kerberos Security Encryption (TLS, TDE) Shared Responsibility Model Principle Of Least Privilege Data Governance Key Rotation
- 17. #StrataData Strata Data Conference, London But Secure Does Not Have To Mean Slow..
- 18. #StrataData Strata Data Conference, London Performance Tuning Understanding workload Leaner deployment patterns Scalable components Data structures, algorithms Caching Limit strings, objects created Tune garbage collector Use asynchronous processing Code quality Memory optimizationApplication Optimizations: Code Quality, Language, Caching, Using Asynchronous API Platform Optimizations: Provider, Auto scaling, Tuning Database Optimizations: Indexes, tables, partitioning OS Optimizations: CPU, Network, IO
- 19. #StrataData Strata Data Conference, London Performance Tuning Hardware Optimizations: Processor, cores, SSD, disks, file system
- 20. #StrataData Strata Data Conference, London Don’t Settle For A Single Test Run Performance Tests: Simulated Representative Load, Concurrent Users, Varying Variables, Environment, Key Vault Performance
- 21. #StrataData Strata Data Conference, London But Start With The End In Mind.. Targeted Load (TPS) Resource Stack Server Side Latency 3,000 12 Web 12 App 06 Cassandra < 10ms 6,000 24 Web 24 App 12 Cassandra < 10ms Intuit Open source AB Testing: https://github.com/intuit/wasabi
- 22. #StrataData Strata Data Conference, London Be Proactive In Measuring Performance AWS resource alarms Custom App MetricsJVM and App Metrics Custom process alerts Logging and alert Prometheus.io ElasticSearch Kibana LogStash Slack Grafana
- 23. #StrataData Strata Data Conference, London So What Should You Do Now?
- 24. #StrataData Strata Data Conference, London - AMI, OS, Software patches Patch, Patch, Patch Be Secure Adopt Principle Of Least Privilege - Access Controls - Authentication, Authorization Know And Manage Your Data - Data Governance - Legal And Compliance Embrace Secure Coding Practices - Secure Configuration - Input Validation - No Memory Leak - Internal Security hack-a-thons - External Security blogs Publish Internal Security Bulletins
- 25. #StrataData Strata Data Conference, London Be Fast Have Automated Fast Lean Stateless Deployment Embrace High Performance Coding Practices - Fewer Object Creation - Garbage Collection Tuning - Secure Configuration Have Performing Infrastructure - Processor chips, cores - Type Of Instance - Auto Scaling
- 26. #StrataData Strata Data Conference, London Takeaways Security Is Vital Performance Is Critical You Can Have Them Both It’s a Journey
- 27. #StrataData Strata Data Conference, London @rekhajoshm https://www.linkedin.com/in/rekhajoshm