Posted on

Web3

Just as we all were catching up on Web2.0, Web3 has started making rounds. One keeps wondering what this is all about and hence it makes sense go through the history of web to some extent. This article will list lot of new terms and phrases, which I intend to cover in coming days in detail, but for now let’s focus on Web3.

In a nutshell, Web3 is all about decentralization – of ownership, of permissions and of trust. It also brings in some added benefits which we’d see later in the post. However, to understand why decentralization has been the key for Web3, one needs to understand what was original web and Web2.0

The origin

World-wide-web, as it was envisaged was and is a network of connected computers. the early days were primarily “Read-only” as creators used to create content and host that content on their website. The internet consumers use to read the content and were happy with this new information base. There was very little they could do at that point in time.

Evolution

As the user base grew, they wanted to do more with the internet and that gave rise to interactivity on the internet. The “Read-only” web turned into a “Read-Write” web. Social networks gave opportunity to the users to connect with each other and do a lot more than just reading.

However, the idea of “connected” world also gave rise to concentrating power with handful of entities, which could snap the control out of user’s hand in a jiffy. e.g. Trump was banned from Twitter or governments asking social networks to take down specified pages or handles. To some, this was a disturbing development. And this gave rise to next stages in the evolution – decentralization

Current stage – Web3

Web3 represents decentralized internet. You own a piece of the internet and not just consume and produce. In this stage, Blockchain paved the way. Concept of blockchain led to invention of cryptocurrency (Bitcoin to be specific) and the inventors rejoiced with the idea of parallel currency. It also taught the users that the currency or for that matter the data on the internet can be controlled by the public via consensus rather than single or handful of entities. Launch of Ethereum took this concept even further. Even the trust could be decentralized and various folks (or nodes) can reach a consensus about trusting something or not instead of a central authority. This is where the current stage got marked as Web3.

Decentralization diagram representing Web3

Some distinct advantages of Web3:

  • Decentralization
  • Permissionless
  • Trustless
  • Support for native payments

In Web3, typically, your data lives in some or the other blockchain. With Oracles or some similar mechanisms, a blockchain can interact with external world or other blockchain, thereby improving the core concept of decentralization. One can carry their own data from one blockchain to another without needing anyone’s permission.

Limitations and Problems

Although, decentralization is the core idea, the infrastructure where all the data resides, will most likely still be owned by handful of companies (cloud providers OR the service providers where the code base/authentication systems reside). The concepts of Web3 are still complex for majority of the users and kind of act as a deterrent. With current level of technology, the accessibility is still a challenge from cost perspective.

As we have seen the evolution, it is only prudent to believe that all these limitations and problems will be solved in near future to increase the web3 adoption.

Some other important concepts:

  • NFT – Non-fungible tokens
  • Cryptocurrency
  • CryptoExchanges
  • Smart Contracts
  • Proof of work
  • Proof of stake
  • DAOs (Decentralized Autonomous Organizations)

Reference Links:

Posted on

OWASP ZAP

With millions of web applications out there, it is only natural to see increased attacks on these web applications from hacker communities. OWASP i.e. Open Web Application Security Project aims to help web developers with the knowledge of various security threats and also to produce tools and technologies to help with tightening the security of their web applications. ZAP is one such tool from OWASP and helps with penetration testing.

Representative image depicting hacker attack on the webapp which can be emulated using OWASP ZAP

Penetration Testing aka pen-testing is a type of testing where the tester tests the application with the goal to break into the system to steal data just like a hacker. It involves the manipulation of requests at various levels (header, payload etc) and thereby finding a way through the server application to data. This is where ZAP comes into the picture – to help testers do all the manipulations easily.

ZAP – Zed Attack Proxy

ZAP is a free and open-source pen-testing tool maintained under OWASP. It is built in Java and is designed specifically for testing web apps. As a seasoned software engineer can guess, this proxy is a “man-in-the-middle” proxy. It is deployed between the tester’s browser and the web app under test. Entire traffic from the browser flows through this proxy. This enables the proxy to make necessary changes to the request to facilitate the testing.

How ZAP works? Image Source: https://www.zaproxy.org/getting-started/

Availability and Usage of OWASP ZAP

ZAP is available on all the major operating systems and is not tied with any single OS. More importantly, it is also available on Docker making life easy for the testers. There is a marketplace where one can find various plugins which is accessible from the ZAP client itself.

A tester can run the automated scan by providing the URL to attack. ZAP will crawl the application using its built-in spider and then provide the results at the end of the scan. Based on the severity the developers can schedule fixing the identified issues.

One can easily integrate ZAP with Jenkins for your CI/CD pipeline. You can also integrate it with Selenium along with your automation testing.

Reference Links:

Related Keywords:

Security, CSRF, Sidejacking, XSS, Reverse-Proxy

Posted on

IPFS

As you are aware the world is moving toward decentralized systems from centralized ones. Current web architecture is highly dependent on the central location of the data served by the servers. Although distributed geographically, it is still a client-server architecture and hence is commonly categorized as centralized architecture. With the increased usage of blockchain-based technologies, the world has now taken note of the need for decentralized architecture for the web and that is where the IPFS i.e. InterPlanetary File System comes into the picture.

What is IPFS?

In simple terms, it is a peer-to-peer hyper-media protocol for storing and sharing data. It enables the creation of distributed applications with a special focus on making the web faster and more open. It also refers to the distributed file system that can connect all the computing devices with the same system of files. As you can see the same term is being used for protocol as well as a file system. And if you dig deeper there is more usage of the same term:

  • As a protocol – defines content-addressed file system, helps content delivery
  • As a file system – has directories and files and can be a mounted file system
  • As a web – content can be accessed via HTTP
  • As CDN – a file added locally can be easily accessible globally just like CDN
Depiction of HTTP vs IPFS clearly showing the difference between both. Source: https://datatracker.ietf.org/

IPFS is still in the development stage but is generating a lot of buzz. Recently, the 80+ developers/implementers got together to push the implementation further.

IPFS was created back in 2014 and its alpha version was launched in 2015. Since then it has gathered good momentum along with other distributed technologies.

Use cases

Some interesting use cases are emerging out of this emerging technology.

References

Related Keywords

DApps, BlockChain, Cryptography, EFS

Posted on

Gunicorn

It has been raining Unicorns in India over last few months (albeit it has slowed down over last few weeks). However Gunicorn has nothing to do with the unicorns that we are seeing in the startup world. It is a most common name used in the Python world and let’s understand more about it in today’s term.

"GUnicorn - representative image of unicorn. It is an application server used for Python based frameworks. Photo by Kindel Media" title="Representative image"

What is Gunicorn

It is a python WSGI application server for UNIX. WSGI means Web Server Gateway Interface. This component provides a way for python based frameworks to be accessible over the internet via reverse proxy. A typical web setup for a python framework involves Nginx, a WSGI server like Gunicorn or uWSGI and a web framework like Django or Flask.

Gunicorn can really work with a host of web servers including Nginx, and Apache and also can work with several web applications as long as those applications can interact via the WSGI interface.

It is a pre-fork worker model ported from Ruby’s Unicorn project.

https://gunicorn.org/

Gunicorn is made to serve one application per instance and to provide a way of running that application as efficiently as possible. It also takes care of managing the worker processes that run your app, so you can focus on developing your code and features.

Advantages of Gunicorn

It is one of the good-performing application servers that is easy to configure and is less CPU intensive. At some point, Instagram used to run Django + Gunicorn when they phased out mod_wsgi and replaced it with this application server. Additionally, it takes care of everything between the web server and your application, leaving your application to do what it is meant for. Easy to configure and easy to maintain, it is a common choice for several leading websites mentioned below.

Alternatives:

  • uWSGI
  • mod_wsgi with Apache
  • Nginx
  • IIS
  • OpenResty
  • LiteSpeed

Some popular websites that use this component as the application server include Mozilla.org, Twillio.com and ubuntu.com. (Statistics)

References:

Posted on

K8ssandra

Folks working with Kubernetes would be able to relate to the word “K8ssandra” very quickly. Something related to Kubernetes (more fondly called K8s). Yes, that is right.

Apache Cassandra is a preferred database for many large-scale applications. Kubernetes has been providing orchestration tooling and infra for several of these applications. Combining these two under a single umbrella helps enterprises to meet their requirements easily.

What is K8ssandra?

It is a cloud-native distribution of Apache Cassandra that runs on Kubernetes. Pronounced as “kate”+”Sandra”, this is an open source project licensed under Apache Software License v2. This project provides a plethora of tools to provide data APIs and automated operations for Cassandra. This includes tools for monitoring, services for site reliability, and backup/restore tools.

Cassandra is a distributed database management system. It is a free and open source project that provides a scalable, highly available, fault-tolerant, column-oriented database to support large amounts of data across many commodity servers.

Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. (Source)

Creating, deploying managing various components of Kubernetes structure such pods, deployments and ConfigMaps could be time intensive and complex. As your architecture grows, this becomes all the more difficult. However, K8ssandra does the heavylifting for you. And as a infrastructure engineer or even a developer, it is always better if you have a reliable tool who does that job for you.

Components

K8ssandra components
Image source: https://docs-v2.k8ssandra.io/components/

It provides a set of components which are glued together as part of the installation process itself. The following components are packaged and installed:

  • Apache Cassandra
  • Stargate
  • Cass Operator
  • Reaper for Cassandra
  • Medusa for backup/restoration
  • Metrics collector with Prometheus integration and visuals via Grafana

Resources: