Are there some security techniques, such as obfuscation, that negatively impact performance?
First, let me emphasize the importance of considering security throughout the full lifecycle. Many security techniques are introduced due to poor up-front design or implementation. By resolving security problems before they’re even coded, teams can avoid the need to apply patches and work-arounds. An up-front investment in good design is the most effective approach to securing any technology solution-- from operating systems to Web applications. That having been said, there are a number of security techniques which are required today that have an impact on performance. Let’s review a few.
Obfuscation, encryption, stateful packet inspection, URL scanning, whitelisting and blacklisting are great examples of common security strategies. Obfuscation is unlike any of the other strategies I listed, in that it is typically used to prevent source code from being viewed by end users. A malicious end user evaluates source code to discover vulnerabilities. Code obfuscation makes code difficult for humans to read; unfortunately, it also slows operational performance. In most cases, obfuscated code provides a false sense of security-- security by obscurity is not a strategy. Building secure code-- which relies on layered defenses; the concept of least privilege; and other good architecture, design and implementation strategy-- needs no obfuscation. Obfuscated code can often be ‘reverse-obfuscated,’ rendering the effort futile. There are times when obfuscation is useful (for instance, it often offers a higher barrier of entry than most script kiddies are willing to overcome), but it’s rarely the solution to an insecure coding problem.
One of the most common, and yet also the most readily accepted, security measure which has a serious impact on performance is the use of encryption in Web transactions. Users never complain about an SSL session protecting their sensitive information, and most governments require it for transactions involving financial and protected information. SSL encryption adds significant overhead (especially for JSON, Ajax, and RIA applications where numerous small transactions occur in real-time).
Finally, there has been much progress made in the development and availability of data inspection technologies-- at the network, server, and even application layer. These technologies evaluate traffic, searching for traffic which matches various patterns that indicate an attempted security compromise. Breaking open network packets and analyzing the contents is an operation-intensive activity which was nearly impossible 10 years ago. However, with advances in technology, these activities have a decreasingly noticeable impact on the user experience.
This was first published in September 2011