Security and performance: Breaking the conundrum. . .again
Security techniques have generally focused on protecting users by blocking requests going to the origin, but security is also a concern at the browser. Sonia Burney and Sabrina Burney explore how security can be enforced at the browser level through a combination of optimization techniques and security enhancements, which overall provide an optimal end-user experience.
|Talk Title||Security and performance: Breaking the conundrum. . .again|
|Speakers||Sonia Burney (Akamai), Sabrina Burney (Akamai)|
|Conf Tag||Build resilient systems at scale|
|Location||Santa Clara, California|
|Date||June 21-23, 2016|
While security techniques have generally focused on protecting users by blocking requests going to the origin, there is now a shift in trying to protect users at the browser while providing an optimal experience—in areas such as HTTP/2, with its new concept of server push, where the focus is queuing up resources at the origin without being requested by the browser, and the more recent concept of the single-page application, which also aims to reduce the number of requests during a session while loading all necessary resources the first time a site is loaded. This poses the question: where does security fit as we attempt to reduce the number of requests and focus on the end-user experience? The goal of security is to ensure we protect the origin servers by blocking malicious requests going forward. The goal of frontend performance techniques is to improve page rendering for the end user by using several optimizations, including reducing the number of HTTP requests, to increase load time. Sonia Burney and Sabrina Burney explore how security can be enforced at the browser level through a combination of optimization techniques and security enhancements, which overall provide an optimal end-user experience. Optimization techniques inherently reduce the need for security at the origin, as much of the rendering work is focused on the frontend without needing to go back to the origin server. Additionally, the use of certain techniques—obfuscation and HTTP/2, service worker and web worker applications, content security policy (with HTTP/2) and strict transport security, iFrame sandboxing (and more) to avoid third-party phishing or malicious code injections, and subresource integrity—can improve the end-user experience and avoid some security risks involved in navigating between various pages in a site, clicking on third-party content, and filling out forms. As we’ve seen before, a security issue can result in a performance issue and vice versa, so why not utilize techniques that achieve benefits in both areas, which are equally important from an end-user perspective?