Systems | Development | Analytics | API | Testing

If you’ve been online at all this week, chances are that you’ve heard about the Log4Shell zero-day (CVE-2021-44228) in Log4J, a popular Java logging library. The vulnerability enables Remote Code Execution (RCE), which allows attackers to run arbitrary code on the target’s machines. I know the first question that you all have is: “Is Kong affected by Log4Shell?” Let’s start with the good news: No Kong products are affected by this Log4J vulnerability.

In this episode of Kongcast, I spoke with Scott Lowe, principal field engineer at Kong, about what a service mesh does and when to use it, among other common mesh-related questions. Check out the transcript and video from our conversation below, and be sure to subscribe to get email alerts for the latest new episodes.

This blog was co-created by Ricardo Ferreira (Elastic) and Viktor Gamov (Kong). We love our microservices, but without a proper observability (O11y) strategy, they can quickly become cold, dark places cluttered with broken or unknown features. O11y is one of those technologies deemed created by causation: the only reason it exists is that other technologies pushed for it. There wouldn’t be need for O11y if, for example, our technologies haven’t gotten so complex across the years.

As more companies invest in a cloud native infrastructure, they’re choosing to prioritize their applications as microservices—architecting them into distinct servers. Each component is responsible for one (and only one) feature. For example, you might have Server A responsible for handling billing logic, Server B for handling user interaction and Server C for handling third-party user interactions.

As part of the Kong Gateway 2.6 release, we shipped a brand new jq plugin for anyone with an enterprise license to use. It’s like we combined the request and response transformer plugins to form a single, more powerful plugin—supercharging the way we work with request and response bodies. If you’re not familiar with jq, it’s a JSON processing language that allows you to manipulate any JSON document and transform it however you need.

At Kong, we run performance testing in CI in every commit or pull request that has a potential performance impact, as well as on each release. Thanks to the performance testing framework and its integration with Github Actions, we can easily get basic metrics like RPS and latency. Also, flame graphs to pinpoint the significant part that draws down performance. With that workflow in place, we figured one of the most significant parts of Kong’s hotpath is Nginx variable accesses.

The Neosec platform integrates with Kong Gateway Enterprise to provide automated and continuous API discovery, API risk posture alerting and API protection through behavioral analytics and response automation. And it does all that while being out of band, using the logs shipped from Kong to Neosec.