WASM, it another of those acronyms being thrown about the board room. I know it sounds like 1980’s gang slang, but it is actually short for WebAssembly, and is an interesting technology that allows the running of high-performance code written in languages like C, C++, Rust or Go directly from a web-browser. This allows for a faster response time than a traditional JVM.
At a slightly lower level WebAssembly (WASM) is a binary instruction format for a stack-based virtual machine that runs in web browsers (sounds like a web-based Hypervisor). It is designed to be fast, portable, and secure, and to work well with existing web technologies. WASM enables web developers to write high-performance applications in languages such as C, C++, Rust, and Go, and compile them to a compact and efficient binary format that can be executed by the browser’s JavaScript engine at native speeds rather than being throttled by an interpreter interface. WASM also supports non-web embeddings, such as edge computing and blockchain. As a part of this article, we will share our opinion on why WASM is useful to increase security, especially when combined with a DevSecOps approach.
The fact that employing WASM helps to isolate the code execution from the host environment is perhaps the most significant advantages of using WASM. This isolation is due to the fact that the code is capable of running in a sandboxed environment, this prohibits unauthorised access to the client’s system resources, such as memory, files, and the network; thereby decreasing the attack surface as well as any chance of exploiting or injecting malicious code into the user system. One other advantage of utilising WASM is that it has the potential to improve both the speed and the efficiency of the code. The WASM compiler takes high-level languages like C, C++, or Rust as input and produces code that is both efficient and compact. Because of this, the code has the potential to run quicker and whilst potentially consuming less bandwidth when compared to conventional JavaScript, or other interpreted languages like Python. This opens up the web environment to more high-performance use cases like, for example, Gaming. Alternatively, even if we just consider standard business applications, faster code execution will improve a user’s experience and increase user satisfaction scores.
This increase in security is of great interest to the denizens of DevSecOps, as the paradigm attempts to integrate security into every stage of a software development lifecycle. The vaulted aims of delivering secure and reliable software faster and more efficiently can be adequately achieved by moving from code based on an interpretated language like Python or JavaScript to running in a sandboxed WASM environment.
What are the main use cases for WASM?
We have shown that WASM has some key security features that significantly lower the attack surface of a web delivered application, so what are a couple of use cases where WebAssembly can be useful for performance and also security:
- Banking: This category includes web applications that handle sensitive data or transactions, such as online banking, e-commerce, or health care. With the help of WASM, data and transactions may be encrypted, authenticated, and confirmed more effectively, and web pages can be loaded and processed more quickly as well.
- Web applications that encompass intricate algorithms or computations, such as machine learning, image processing, or gaming, are readily accessible on the internet but often suffer significant performance issues. WebAssembly (WASM) leverages the capabilities of native code to do these tasks with improved efficacy and enhanced security, while ensuring the web applications’ functionality and quality remain uncompromised.
- Platform Mobility: Web applications that need to run on different platforms or devices, such as mobile phones, tablets, or desktops can use WASM to provide cross-platform compatibility and portability, without requiring additional plugins or frameworks. This can also reduce the maintenance and deployment costs of the web applications.
What sort of technologies are needed to wrap WASM in a DevSecOps wrapper?
Those that know me are probably laughing at this section header, I almost never talk about technologies; DevOps and DevSecOps are paradigms, and culture not products. But the fact is that the world we live in products and tooling is still needed. So what do we need to enfold a WASM environment in a DevSecOps wrapper, well some of the technologies that I would use are:
- Docker: This is the tool that allows the creation and running of the containers that isolate the application from the host system. By using Docker, it can help to standardize and automate the development, testing, and deployment of the web applications using WASM.
- Kubernetes: This platform allows you to manage and orchestrate the multiple containers that may be required to allow multiple users to access the application across different nodes or clusters. Kubernetes helps to scale, monitor, and more importantly update the web applications using WASM in a secure and efficient way.
- Version Source Control (VCS): A platform like GitHub or Bitlocker that allows the collaboration and hosting of code repositories. A VCS can help to implement version control, code review, pull requests, and continuous integration for the web applications using WASM.
- Pipeline management: A tool like Jenkins or CircleCI will allow automating the build, testing, and deployment of web applications using WASM. A pipeline manager will help to integrate security checks, automate code analysis, unit testing, performance testing, and deployment into the development pipeline.
- Automated Code Review tooling: A tool like SonarQube allows DevSecOps teams to measure and improve the quality and security of their code. Automated Code review tooling can help to identify and fix vulnerabilities, bugs, code smells, and reduce technical debt in the web applications using WASM.
Where could WASM be in the Future?
What I personally find interesting about WASM is that it is an extendable framework and not just limited to web-browsers. This is definitely an interesting technology, but what about the future, I personally feel that we are just brushing the surface of what is possible woth WASM, looking at the current use of the technology the logical path for the development of WebAssembly could involve several key areas:
- Performance improvements: As the primary goal of WebAssembly is to enable high-performance applications on the web, ongoing efforts to optimize its performance will continue to be essential. This includes improving compilation times, reducing binary sizes, and enhancing runtime performance.
- Language support: Currently, WebAssembly primarily supports languages like C, C++, and Rust. Expanding support for more programming languages will make it more accessible and versatile for developers, allowing a wider range of applications to benefit from WebAssembly’s performance advantages.
- Integration with web technologies: Enhancing WebAssembly’s interoperability with other web technologies, such as JavaScript and Web APIs, will enable more seamless integration and allow developers to build more sophisticated applications using a combination of WebAssembly and other web technologies.
- Security: Ensuring the safety of WebAssembly is crucial, given its role in running code within the browser environment. Ongoing efforts to maintain and improve security features, such as sandboxing, will be vital in protecting users from malicious code.
- Developer tools and ecosystem: Providing comprehensive developer tools, documentation, and resources will help make WebAssembly more accessible and foster a thriving ecosystem around it. This includes debuggers, profilers, and other tools that streamline the development process.
- New features and extensions: Exploring new features and extensions that can enhance WebAssembly’s capabilities is another important aspect of its development path. This could include exploring possibilities for limited virtualization or containerization within the browser environment, though it’s important to keep security concerns in mind.
By focusing on these areas, WebAssembly can continue to evolve as a powerful tool for web development, enabling high-performance applications and expanding the range of possibilities for developers on the web platform.
However that is only looking inside the box, one of the more left field possibilities that WASM could move towards is expanding the capabilities of the isolation, it is important to note that WebAssembly is designed to run not only in web environments but also in non-web environments, such as IoT devices, mobile/desktop apps, and even embedded within larger programs. This leads to some interesting possibilities:
- Enhanced sandboxing: Strengthening the isolation of WebAssembly modules from the host environment, ensuring that the virtual machine has limited access to system resources and APIs. This would help create a more secure and controlled execution environment.
- Resource constraints: Implementing mechanisms to limit the resource usage of WebAssembly modules, such as memory and CPU allocation. This would enable the creation of virtual machines with well-defined boundaries and prevent potential resource abuse.
- Inter-module communication: Developing standardized methods for communication between different WebAssembly modules within the same isolated environment. This would allow for modular applications where each module has a specific role and communicates securely with other modules.
To sum up, As a technology WebAssembly (WASM) is a powerful and versatile, it has the potential to revolutionize web development and beyond. Just looking at its ability to run high-performance code written in languages like C, C++, Rust, and Go directly from a web-browser offers significant advantages in terms of speed, efficiency, and security. Taking the next step and integrating WASM with a DevSecOps approach, developers will be able to leverage the paradigms benefits to create secure and reliable software throughout the entire development lifecycle. The varied use cases of WASM span across multiple industry tiers, including banking, web applications with complex algorithms, and platform mobility; by coupling the right technologies, such as Docker, Kubernetes, Version Source Control, Pipeline management, and Automated Code Review tooling, WASM can be effectively incorporated into a DevSecOps environment significantly improving a products lifecycle.
Finally as WASM continues to evolve, its development path could focus on performance improvements, expanded language support, enhanced integration with web technologies, security enhancements, developer tools and ecosystem growth, as well as new features and extensions. By exploring possibilities such as enhanced sandboxing, resource constraints, and inter-module communication, WebAssembly has the potential to become an even more powerful tool for developers in both web and non-web environments.
The future of WASM is bright and full of possibilities; it is an exciting time for developers and organizations to embrace this technology and unlock its full potential in creating innovative and secure applications.
