It looks like a great tool and I definitely see myself trying it out but I am a bit skeptical as to production debugging for three reasons:
Firstly, I think we allow our app to be vulnerable if we permit such tools to connect to a production server.
Secondly, I wonder how safe an alternative a snapshot is when compared to breakpoints.
Last but not least, it's unclear to me whether or not performance could be impacted while the tool is attached.
I discuss security in-depth in this article. The gist is that you never expose or connect to production. It works the other way around which is an important distinction. It means any surface area to attack is significantly reduced/removed.
I'd also like to add that Lightrun is used on Fortune 50 companies, banks, etc. where security and performance requirements are very extreme.
Snapshots work pretty much like a breakpoint would. Only they don't stop. This requires a bit of a mind shift. For obvious reasons you can't use a breakpoint in production since a server might get stuck in the middle of debugging.
Performance is always impacted. We measured Lightrun and found that when no actions are used the overhead is on the scale of 0.5% and when actions are added it's around the 7% overhead for a system under heavy load. Lightrun throttles action when they take too much CPU and you can tune the amount of CPU allocated to it. The default is pretty conservative so you shouldn't feel a performance impact regardless of what you do.
Markos Korvesis
Software Engineer
Excellent post, Shai Almog.
Congrats! π
It looks like a great tool and I definitely see myself trying it out but I am a bit skeptical as to production debugging for three reasons:
Firstly, I think we allow our app to be vulnerable if we permit such tools to connect to a production server. Secondly, I wonder how safe an alternative a snapshot is when compared to breakpoints. Last but not least, it's unclear to me whether or not performance could be impacted while the tool is attached.