What are agents ?
Agents are like sensors that are introduced in an application. They can communicate with a server (via events) . The server gathers information from multiple agents and correlates data to gain accurate knowledge about the system. Agents can also take action, for example to stop a malicious attack.
Example : How can agents be used to prevent a data breach ?
In September 2018, the Facebook team discovered a data breach where hackers used the “view as” feature to steal Facebook access tokens and gain access to other people’s accounts. As described by the Sqreen team in this deck, this could have been detected and avoided using agents.
How do they work ?
Adding these sensor agents in a code base is called Instrumentation. Instrumenting a code can be achieved by adding code wrappers that watch a particular piece of code and report what happens.
These agents will then be able to provide valuable information. They will be able to detect when an execution starts, report how much time it takes to run a task and watch the content of incoming requests or outbound calls.
What can they do ?
Once we instrument our application, we can enable many interesting features.
APM Agents (Application Performance Monitoring)
- Telemetry : Agents will gather data about the use and performance of applications. This data can help you decide which parts of your infrastructure needs to handle more traffic, which endpoints can be deprecated and which services are slowing down your application performance. You can also get valuable information about error statistics.
- Distributed tracing : In addition to regular tracing (following code execution), using agents in distributed systems will allow you to follow a chain of events across multiple services. Without implementing this kind of instrumentation, it can be very difficult to debug errors in distributed systems.
- Services mapping : After instrumenting micro-services, some tools will generate application maps and help visualize event flows.
Example of APM tools: Splunk, Elastic, Dynatrace, Datadog, New Relic …
- Can act as an in-app WAF (Web Application Firewall) : By analyzing HTTP traffic, agents can prevent attacks and malicious requests.
- Security Assessment: Agents can analyze a codebase, pinpoint its vulnerabilities and assess its robustness.
- Security Protection : Agents can also take actions and identify attacks while they are happening. They can prevent vulnerabilities from being exploited in production.
Tools that use agents to provide security features: Contrast, Sqreen.
Note: Many of these companies made the choice to open source their agent code base. This transparency initiative has the benefit of reassuring the public about the internal workings of their agents. It also helps maintain these agents and improve them by opening contributions and feedbacks.
Any Drawbacks ?
- Performance : Instrumenting code can affect application performance. It could be due to heavy data manipulation or due to frequent communications with the server. In order to avoid this, Instrumentation tools can adopt different strategies like batching report events or using reporting queues.
- Privacy and GDPR : When reporting HTTP headers, agents can send sensitive data like user related data. In order to be compliant, you need to filter out such data.