Upcoming Webinar Thurs 3/14: Web Application Security – Why You Should Review Yours

Please join Percona’s Information Security Architect, David Bubsy, as he presents his talk Web Application Security – Why You Should Review Yours on March 14th, 2019 at 6:00 AM PDT (UTC-7) / 9:00 AM EDT (UTC-4).

Register Now

In this talk, we take a look at the whole stack and I don’t just mean LAMP.

We’ll cover what an attack surface is and some areas you may look to in order to ensure that you can reduce it.

For instance, what’s an attack surface?

Acronym Hell, what do they mean?

Vulnerability Naming, is this media naming stupidity or driving the message home?

Detection, Prevention and avoiding the boy who cried wolf are some further examples.

Additionally, we’ll cover emerging technologies to keep an eye on or even implement yourself to help improve your security posture.

There will also be a live compromise demo (or backup video if something fails) that covers compromising a PCI compliant network structure to reach the database system. Through this compromise you can ultimately exploit multiple failures to gain bash shell access over the MySQL protocol.

Read more at: http://www.mysqlperformanceblog.com/

DBaaS, OpenStack and Trove 101: Introduction to the basics

We’ll be publishing a series of posts on OpenStack and Trove over the next few weeks, diving into their usage and purpose. For readers who are already familiar with these technologies, there should be no doubt as to why we are incredibly excited about them, but for those who aren’t, consider this a small introduction to the basics and concepts.

What is Database as a Service (DBaaS)?
In a nutshell, DBaaS – as it is frequently referred to – is a loose moniker to the concept of providing a managed cloud-based database environment accessible by users, applications or developers. Its aim is to provide a full-fledged database environment, while minimizing the administrative turmoil and pains of managing the surrounding infrastructure.

Real life example: Imagine you are working on a new application that has to be accessible from multiple regions. Building and maintaining a large multiregion setup can be very expensive. Furthermore, it introduces additional complexity and strain on your system engineers once timezones start to come into play. The challenge of having to manage machines in multiple datacenters won’t simplify your release cycle, nor increase your engineers’ happiness.

Let’s take a look at some of the questions DBaaS could answer in a situation like this:

– How do I need to size my machines, and where should I locate them?
Small environments require less computing power and can be a good starting point, although this also means they may not be as well-prepared for future growth. Buying larger-scale and more expensive hardware and hosting can be very expensive and can be a big stumbling block for a brand new development project. Hosting machines in multiple DC’s could also introduce administrative difficulties, like having different SLA’s and potential issues setting up WAN or VPN communications. DBaaS introduces an abstraction layer, so these consideration aren’t yours, but those of the company offering it, while you get to reap all the rewards.

– Who will manage my environment from an operational standpoint?
Staffing considerations and taking on the required knowledge to properly maintain a production database are often either temporarily sweeped under the rug or, when the situation turns out badly, a cause for the untimely demise of quite a few young projects. Rather than think about how long ago you should have applied that security patch, wouldn’t it be nice to just focus on managing the data itself, and be otherwise confident that the layers beyond it are managed responsibly?

– Have a sudden need to scale out?
Once you’re up and running, enjoying the success of a growing use base, your environment will need to scale accordingly. Rather than think long and hard on the many options available, as well as the logistics attached to those changes, your DBaaS provider could handle this transparently.

Popular public options: Here are a few names of public services you may have come across already that fall under the DBaaS moniker:

– Amazon RDS
– Rackspace cloud databases
– Microsoft SQLAzure
– Heroku
– Clustrix DBaaS

What differentiates these services from a standard remote database is the abstraction layer that fully automates their backend, while still offering an environment that is familiar to what your development team is used to (be it MySQL, MongoDB, Microsoft SQLServer, or otherwise). A big tradeoff to using these services is that you are effectively trusting an external company with all of your data, which might make your legal team a bit nervous.

Private cloud options?
What if you could offer your team the best of both worlds? Or even provide a similar type of service to your own customers? Over the years, a lot of platforms have been popping up to allow effective management and automation of virtual environments such as these, allowing you to effectively “roll your own” DBaaS. To get there, there are two important layers to consider:

  • Infrastructure Management, also referred to as Infrastructure-as-a-Service (IaaS), focusing on the logistics of spinning up virtual machines and keeping their required software packages running.
  • Database Management, previously referred to DBaaS, transparently coordinating multiple database instances to work together and present themselves as a single, coherent data repository.

Examples of IaaS products:
– OpenStack
– OpenQRM

Ecample of DBaaS:
– Trove

Main Advantages of DBaaS
For reference, the main reasons why you might want to consider using an existing DBaaS are as follows:

Reduced Database management costs

DBaaS removes the amount of maintenance you need to perform on isolated DB instances. You offload the system administration of hardware, OS and database to either a dedicated service provider, or in the case where you are rolling your own, allow your database team to more efficiently manage and scale the platform (public vs private DBaaS).

– Simplifies certain security aspects

If you are opting to use a DBaaS platform, the responsibility of worrying about this or that patch being applied falls to your service provider, and you can generally assume that they’ll keep your platform secure from the software perspective.

– Centralized management

One system to rule them all. A guarantee of no nasty surprises concerning that one ancient server that should have been replaced years ago, but you never got around to it. As a user of DBaaS, all you need to worry about is how you interface with the database itself.

– Easy provisioning

Scaling of the environment happens transparently, with minimal additional management.

– Choice of backends

Typically, DBaas providers offer you the choice of a multitude of database flavors, so you can mix and match according to your needs.

Main Disadvantages
– Reduced visibility of the backend

Releasing control of the backend requires a good amount of trust in your DBaaS provider. There is limited or no visibility into how backups are run and maintained, which configuration modifications are applied, or even when and which updates will be implemented. Just as you offload your responsibilities, you in turn need to rely on an SLA contract.

– Potentially harder to recover from catastrophic failures

Similarly to the above, unless your service providers have maintained thorough backups on your behalf, the lack of direct access to the host machines means that it could be much harder to recover from database failure.

– Reduced performance for specific applications

There’s a good chance that you are working on a shared environment. This means the amount of workload-specific performance tuning options is limited.

– Privacy and Security concerns

Although it is much easier to maintain and patch your environment. Having a centralized system also means you’re more prone to potential attacks targeting your dataset. Whichever provider you go with, make sure you are intimately aware of the measures they take to protect you from that, and what is expected from your side to help keep it safe.

Conclusion: While DBaaS is an interesting concept that introduces a completely new way of approaching an application’s database infrastructure, and can bring enterprises easily scalable, and financially flexible platforms, it should not be considered a silver bullet. Some big tradeoffs need to be considered carefully from the business perspective, and any move there should be accompanied with careful planning and investigation of options.

Embracing the immense flexibility these platforms offer, though, opens up a lot of interesting perspectives too. More and more companies are looking at ways to roll their own “as-a-Service”, provisioning completely automated hosted platforms for customers on-demand, and abstracting their management layers to allow them to be serviced by smaller, highly focused technical teams.

Stay tuned: Over the next few weeks we’ll be publishing a series of posts focusing on the combination of two technologies that allow for this type of flexibility: OpenStack and Trove.

The post DBaaS, OpenStack and Trove 101: Introduction to the basics appeared first on MySQL Performance Blog.

Read more at: http://www.mysqlperformanceblog.com/

Great Speakers, Fun, and Insights at Percona Live MySQL Conference

The Percona Live MySQL Conference 2014 is less than two weeks away, running April 1-4, and excitement is building for the great lineup of speakers, events, and networking opportunities it offers. This year’s conference also features the first-ever Open Source Appreciation Day, which takes place on March 31, 2014, and includes two separate events, CentOS Dojo Santa Clara and OpenStack Today, highlighting these two key technologies. A new keynote address about the OpenStack ecosystem by Boris Renski, a member of the OpenStack Board of Directors, has also been added.

Percona Live MySQL Conference Keynotes

Positive Energy at the Percona Live MySQL Conference

The energy at the Percona Live MySQL Conferences is palpable as everyone from experts to novices gather to learn, share, and enjoy. In an interview, Jeremy Cole, Google senior systems engineer and a presenter at the conference, said, “Aside from actual sessions, one of the things I look forward to most each year is the social aspects. This conference is the only place where nearly every member of the MySQL community comes together all at once. I am excited about Oracle’s participation and their sessions about MySQL 5.7, and the many talks from those who have deployed MySQL 5.6 in production.”

Similarly, Mats Kindahl, senior principal software developer in MySQL at Oracle and a conference presenter, is enthusiastic about the opportunity that Percona Live MySQL Conference and Expo 2014 presents: “I’m quite interested in anything related to high-availability and scalability — especially real-life experience from people managing large farms. There is a lot of value in seeing and understanding what kind of problems people run into in practice. Because it’s never what you see in a theoretical presentation on high-availability. It’s always the details that make a difference.”

Keynote Panel

I look forward to keynotes this year from Oracle’s Tomas Ulin, Fusion-io’s Nisha Talagala, Dropbox’s Renjish Abraham, Big Fish Games’ Sean Chighizola, Continuent’s Robert Hodges, and Percona’s Peter Zaitsev. This year we will also feature a keynote panel on “The Future of Operating MySQL at Scale”. I will host the panel which features Robert Hodges, Nisha Talagala, and Peter Zaitsev, and will focus on the challenges of operating MySQL at scale when downtime is very costly for mission-critical applications and more and more companies running MySQL in the Cloud. We will discuss topics such as high availability clusters, multi-datacenter replication, and data storage in addition to other important future challenges.

Friday Keynote on OpenStack

A new keynote has been added on Friday, April 4, 2014 about OpenStack. Boris Renski, OpenStack Board Member and CMO of Mirantis, will present “OpenStack Co-Opetition, A View from Within”. He will discuss the competitive and cooperative nature of the OpenStack ecosystem and touch upon topics such as TROVE which is relevant to Database-as-a-Service in relation to OpenStack.

Open Source Appreciation Day Details

On Monday, March 31, 2014, the day before the official start of the conference, we will host the first-ever Open Source Appreciation Day at the Percona Live MySQL Conference, which consists of two events:

CentOS Dojo Santa Clara – This free event, offered in cooperation with CentOS, brings together the CentOS community to discuss systems administration, best practices and emerging technologies. Due to space constraints, attendance is limited to 75 people and advanced registration is required. The event will take place from 10:00 a.m. to 6:00 p.m. in Room 203 of the Santa Clara Convention Center.
OpenStack Today – This free event is offered in cooperation with members of the OpenStack community and will provide an opportunity to hear from leading industry technologists who will speak about today’s fastest growing open source cloud infrastructure project, OpenStack, and how MySQL fits into the evolving OpenStack roadmap. Due to space constraints, attendance is limited to 100 people and advanced registration is required. The event will take place from 1:00 p.m. to 6:00 p.m. in Room 204 of the Santa Clara Convention Center.

Attendees who register for one of the two Open Source Appreciation Day events can use the discount code “OPEN” to receive a 15 percent discount on their Percona Live MySQL Conference and Expo 2014 registration. Registration for either of these events includes a free Expo Hall and Keynote Pass for the Percona Live MySQL Conference and Expo.

Lightning Talks and Birds of a Feather Sessions (BOFs)

Both the Lightning Talks and BOFs are a perennial crowd favorite at Percona Live conferences.

The always entertaining Lightning Talks are an opportunity for attendees to propose, explain, exhort, or rant on any MySQL-related topic for five minutes. Topics might include a new idea, successful project, cautionary story, quick tip, or demonstration. Lightning Talks will take place Thursday night, April 3, 2014, during the MySQL Community Networking Reception, which begins immediately following the breakout sessions.

Birds of a Feather sessions enable attendees with interests in the same project or topic to enjoy some quality face time. This year’s topics include MySQL 5.6 in production, best practices for MySQL data replication, extreme MySQL performance, and much more. We’ve even added a BOF on OpenStack this year. The BOFs will take place Wednesday night, April 2, from 6:00 p.m. to 7:00 p.m. BOFs are open to all members of the MySQL community, whether you attend the conference or not.

Community Dinner and Community Reception

The Percona Live MySQL Conference and Expo is a great place for networking, providing attendees with the opportunity to make connections that can help enhance their career, facilitate a current project, or inspire new ideas. This year we have a Welcome Reception on Tuesday night and the Community Networking Reception on Thursday night. Pythian is organizing the community dinner this year on Wednesday night, following the BOFs. For a complete list of events and times, see the Conference Program.

Sponsors

This year’s Percona Live MySQL Conference and Expo includes an extensive list of prominent sponsors. Recent additions to the list include Gold Sponsor Machine Zone, Silver Sponsor Tesora (formerly ParElastic), and lounge and recharging station sponsor Facebook. Sponsorship opportunities are still available. Sponsors of the Percona Live MySQL Conference and Expo 2014 become part of a dynamic and growing ecosystem and interact with more than 1,000 DBAs, sysadmins, developers, CTOs, CEOs, business managers, technology evangelists, solutions vendors, and entrepreneurs in the heart of Silicon Valley. The complete list of sponsors includes:

• Diamond Plus: Continuent, Fusion-io
• Platinum: Booking.com
• Gold: Machine Zone, Micron, Pythian, SkySQL
• Silver: AppDynamics, Box, InfiniDB, Diablo, Galera/Codership, Google, Rackspace, Tesora, Twitter, Yelp
• Exhibitors: Attunity, Blackbird (formerly PalominoDB), Dropbox, Etsy, FoundationDB, HGST, RSSBus, ScaleArc, ScaleBase, Severalnines, Sphinx, Tokutek, VividCortex
• Other: Devart, Facebook, Webyog, MailChimp
• Media: ADMIN Magazine, Datanami, DBTA, Linux Journal, Linux Pro Magazine, O’Reilly, Software Developer’s Journal
• Open Source Appreciation Day: Tesora, hastexo, CentOS

Visit the Percona Live MySQL Conference and Expo 2014 website for more information and to register. I hope to see you in Santa Clara in two weeks!

The post Great Speakers, Fun, and Insights at Percona Live MySQL Conference appeared first on MySQL Performance Blog.

Read more at: http://www.mysqlperformanceblog.com/