Application Performance

Effects on Application Performance

As you might expect, Contrast's analysis does make your app run a little slower. The good news is it's generally not enough for anyone to complain about, and the results are definitely worth it.

Startup Time

When you start your server with Contrast, you'll see a few messages that indicate that Contrast is performing its JIT bytecode transformations to add security sensors to the JVM. This startup JIT period will take 8-12 seconds on a fast developer laptop, and maybe 30-40 seconds on outdated, resource-starved QA server hardware.

Request Processing Time

It's probably more important to think about how Contrast affects the round-trip time. In typical applications, Contrast adds around 2x round-trip time to a request that contains a lot of business logic with all the bells and whistles turned on. Round trip times for static resources typically don't get measurably worse. In requests where the total round-trip time is dominated by database or Web Service calls, Contrast's effect will be less noticeable.

If better performance is really important to your environment, consider the following options:

  • Run Contrast in sampling mode (gain 33% performance boost)
  • Turn off response scanning (gain 5% performance boost, and somewhat reduce memory footprint)
  • Run Contrast during nightly integration tests
  • Turn off data flow rules (add -Dcontrast.propagators=false, gain 50% performance boost)
  • Run Contrast in an alternate environment (QA system or DEV environment)
  • Run Contrast on a single node in a load balanced environment

Memory

Contrast also requires some memory to operate. If you're running close to your memory limits, using Contrast might put you over the limit. To account for Contrast, add the following memory:

  1. Add 32MB of PermGen space in HotSpot JVM that use PermGen
  2. Add another 128MB to the maximum heap size

Our minimum requirements for memory are 1.8x maximum heap used during normal application usage. Most of the time, the above steps are more than enough.

More Information

Improving Startup Performance

The time for an application to start up, referred to as startup performance, can be affected when Contrast is configured for assessment purposes. The startup is a crucial time for the agent, as the main operation involves analyzing libraries for reporting purposes. Many applications are affected by 20% to 30% as part of the startup cost for security analysis. Some applications can be affected by 2x to 3x depending on the number of libraries loaded and the configuration of the Permanent Generation space.

Skip Deep Inspection

The Contrast Assess product deeply inspects every piece of bytecode loaded in the JVM. This extra analysis ensures that every possible place where security-relevant functionality is occurring gets a sensor loaded. In many environments, this is not necessary. Accordingly, this deep inspection will eventually be off by default.

To enable skipping these deep inspections, add the following JVM properties:

-Dcontrast.inspect.allclasses=false -Dcontrast.process.codesources=false

Run It Again

The first time Contrast runs on a new environment, or with a new version of the agent or JVM, it will perform extra code analysis as it gets loaded. The results of this analysis is cached, so the next run will have a much faster startup (50-60%).

In PaaS or Docker environments where applications are run in essentially a "factory new" setting, it's likely that there is no "previous run" from which the cached analysis can be reused. This means that every run will have the maximum startup penalty. We will be providing functionality to accommodate these environments in the future.

Using -Xquickstart in the IBM JDK

Web applications leveraging the IBM JDK will experience slower-than-expected startup times. A startup option is available for the JDK to streamline the performance of startup. IBM released a JDK option -Xquickstart, which is disabled by default. Customers leveraging the IBM JDK can enable this option in their startup script and/or any location in which JVM parameters are managed (often in the WebSphere performance console). This particular JVM option causes the Just In Time (JIT) compiler to run with a subset of optimizations.

IBM -Xquickstart Overview

"The effect is faster compilation times that improve startup time, but longer-running applications might run slower. When the AOT compiler is active (both shared classes and AOT compilation enabled), -Xquickstart causes all methods to be AOT compiled. The AOT compilation improves the startup time of subsequent runs, but might reduce performance for longer-running applications. -Xquickstart can degrade performance if it is used with long-running applications that contain hot methods. The implementation of -Xquickstart is subject to change in future releases. By default, -Xquickstart is disabled. Another way to specify a behavior identical to -Xquickstart is to use the -client option. These two options can be used interchangeably on the command line."


Note: Customers should test their application without Contrast enabled to ensure this option does not cause any functional instability with their application. This option has been tested by Contrast, but as stated by IBM, this option is subject to change in future releases.