Skip to main content
The Backend Engineering Show with Hussein Nasser

The Backend Engineering Show with Hussein Nasser

By Hussein Nasser
Welcome to the Backend Engineering Show podcast with your host Hussein Nasser. If you like software engineering you’ve come to the right place. I discuss all sorts of software engineering technologies and news with specific focus on the backend. All opinions are my own.

Most of my content in the podcast is an audio version of videos I post on my youtube channel here

Support my work on PayPal

🧑‍🏫 Courses I Teach
Listen on
Where to listen
Apple Podcasts Logo

Apple Podcasts

Breaker Logo


Castbox Logo


Google Play Music Logo

Google Play Music

Google Podcasts Logo

Google Podcasts

Overcast Logo


Pocket Casts Logo

Pocket Casts

PodBean Logo


RadioPublic Logo


Spotify Logo


This is why Salesforce services went down on May 11 2021
Salesforce services went down as a result of a DNS update, let us discuss how can tiny DNS unavailability cause a severe outage of 5 hours. From salesforce "On May 11, 2021, at approximately 21:08 Universal Coordinated Time (UTC), the Salesforce Technology team became aware of a service disruption across Salesforce production instances. The disruption impacted the ability for users to log into their Salesforce environments within the core Salesforce services, Marketing Cloud, Commerce Cloud, Government Cloud, Experience Cloud, Heroku, Pardot, and Vlocity. In addition, the Trust site was also unavailable, and customers were unable to log support cases. Some customers may have also experienced issues with Multi-Factor Authentication (MFA) during the incident. " Resources Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach 🏭 Backend Engineering Videos in Order
May 13, 2021
How HAProxy forwards 2 Million Requests Per Second? - The Backend Engineering Show
In this show, I go into detail on how HAProxy achieved 2 million HTTP requests per second. This is a very well-written article that discusses how the HAProxy team benchmarked the product on a 64 core ARM machine leading to over 2 million requests per second. There are many components and low-level points that I try to elaborate on, timestamps below.  0:00 Intro  2:40 Summary of the Article  11:55 Latency and Throughput in HAProxy 2.3 vs 2.4  21:00 How TCP Connections Affects Performance  28:00 Maximum Packets we can get in 100Gbps Network?  35:00 How 64 Cores are divided between workloads  40:00 Tail latencies HAProxy 2.3 vs 2.4  42:50 How TLS Affects Performance?  HAProxy Blog Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
May 10, 2021
The Tale of OLTP, OLAP, and HTAP in Data Warehousing - The Backend Engineering Show with Hussein Nasser
In this show, I discuss why we have 3 data models in database systems, OLTP (Online Transactional Processing) OLAP (Online Analytical Processing), and HTAP (Hybrid Transactional Analytical Processing). I’ll also explain the difference between them, the use of ETL tools (extract transform load) to load data from transactional to analytical databases, and what is the future of HTAP. Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
May 9, 2021
This Python And NodeJS IP Address Validation Vulnerability is Severe, Watch out
Watch this if you are using IP Address validation in both NodeJS and Python, these two libraries strip leading zeros which can lead to server side request forgery. Let us discuss Resources Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
May 4, 2021
These Hackers Snuck their Trojan through PING
In this video, I’ll discuss the Pingback attack, a new clever attack that uses both DLL files through Oracle Component Interface (OCI.dll) and ICMP protocol to deliver commands between the victim machines and the command center.  Resources Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
May 4, 2021
Publish-Subscribe Pattern vs Message Queues vs Request Response (Detailed Discussions with Examples)
In this podcast I’ll explain the message queues, the request response pattern and the publish subscribe pattern. I will also illustrate the main differences between them and when to use over another. 0:00 Intro 0:30 Message Queues in 60 Seconds 1:24 When to Use Message Queues? 14:33 Request Response Pattern 20:00 Request Response Pros & Cons 24:11 Publish Subscribe Pattern in 60 Seconds 25:13 Publish Subscribe Pattern 31:49 Publish Subscribe Pattern Pros and Cons Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
May 2, 2021
HTTP Code 502 Bad Gateway Explained (All its Possible Causes on the Backend)
502 Bad Gateway is one of the most infamous errors on the backend, it usually means “hey something wrong with your backend server” but it doesn’t really give enough information.  In this video,  I’ll go through details on why proxies and gateways like NGINX and HAProxy should consider throwing more fine detailed HTTP error codes.   502 Bad Gateway The server was acting as a gateway or proxy and received an invalid response from the upstream server.   0:00 intro   3:45 What Causes a 502 Bad Gateway? 8:00 Cloudflare HTTP error codes  13:00 Security Implications Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
April 30, 2021
Technical Discussion on VPNs - How VPNs Work, their benefits, and What happens when VPNs are Hacked
In this episode I’ll talk about how VPN works, networking, IPSec and will also discuss the benefits of VPN and what happens when a VPN is hacked?   * Intro 0:00   * How Networking Works? 2:20   * How VPN Works? 10:00   * VPN Benefits 17:50  * What happens when VPN is hacked 20:20 Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
April 26, 2021
Let us discuss the Linux Kernel community and University of Minnesota situation
There is an ongoing situation with the Linux kernel community and the University of Minnesota Department of Computer Science & Engineering. We discuss this in this episode and I give my opinion  
April 22, 2021
Auth0 Outage (Early report)
Auth0 went down on April/20/2021 and this is the early report. Let us discuss. This incident affects: Auth0 US (PROD) (User Authentication, Machine to Machine Authentication, Multi-factor Authentication, Management API), Auth0 US (PREVIEW) (User Authentication, Machine to Machine Authentication, Multi-factor Authentication, Management API), and Management Dashboard ( 0:00 Update on Auth0 outage 6:00 Speculation of the outage
April 20, 2021
North Korean Hackers Hide Malicious Code within BMP image, Goes Undetected by AntiVirus software
Let us discuss the complexity behind this trojan hack, the multi-layer approach of hiding the RAT (remote access trojan) is absolutely genius.
April 20, 2021
These New WhatsApp Vulnerabilities Can Leak Images, Voice Notes, and Chat by Opening an HTML message
Few vulnerabilities in WhatsApp for Andriod discovered that allow an attacker to send an HTML file attachment full access to the user's media, voice notes, pictures, and eventually chat messages (through TLS session resumption keys). In this video, we will discuss the scope of this attack. The vulnerabilities have been patched by facebook. Full article from CENSUS labs discussing in detail how to carry POC attack.
April 18, 2021
A Look into Modern Leaky Abstractions - Postgres, MySQL, HTTP/2, TCP, ORMs GraphQL, N+1, Axios, git
Leaky abstractions occur when the consumer of the abstraction started asking questions about certain behavior which ends up with the need to understand the details behind the abstraction. Joel Spolsky coined this term and in this video I’d like to discuss this concept and provide few examples of my own experience towards leaky abstractions. Let us get on with the show. 6:00 Postgres Dead Tuples 7:25 MySQL Clustering 9:23 Axios HTTP Library 11:30 ORMs (N+1) 13:30 Beyond Abstractions 15:30 TCP 19:30 HTTP/2 27:00 Microservices 28:40 Index Only Scans Postgres 33:35 git 34:50 Summary Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
April 17, 2021
Here is what caused the Hack to PHP Source Code git Server
Two weeks ago the PHP source code git server got hacked and two malicious commits were made to the source code. Since then the PHP maintainers identified the source of the hack, let us discuss
April 15, 2021
If I wasn’t a Backend Engineer, I would pick this as my career - Q&A April 2021
Light episode today let's have some fun with Q&A, I collected some questions on Twitter and YouTube community and I'm going to attempt to answer them here. Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
April 12, 2021
Can NULLs Improve your Database Queries Performance? - The Backend Engineering Show
In this episode, we will discuss NULLs in database systems. I’ll go through the following: What is Null? NULLs persistence Whether you store a 0 or 2 billion value in the field 32bit integer field it costs 32 bit when you store a NULL in 32 bit integer field we save 32 bit but add overheads When NULLs are naughty Semantics and inconsistent result Select count(*). Includes nulls count(column) ignores nulls T is NULL returns the null rows T is NOT NULL returns not null rows T In (NULL) returns nothing T not in NULL returns nothing Some database don’t index nulls When NULLs are useful I don’t have value , I don’t wish to provide a birthday not applicable field for certain use cases but not others fat tables (denormlization) Fat tables with many columns makes your rows longer which means fewer rows fit in your page (show pic).. NULLs help here .. that are NULL, it yields shorter rows, instead of storing a default 0 value Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
April 11, 2021
10 Vulnerabilities to watch for When building secure backend application (OWASP recommendations)
The open web application security project is a recognized entity that helps developers identify critical security vulnerabilities to build secure web applications. In this video I will go through the 10 vulnerabilities and explain each one and give examples and anecdotes from real life examples. 0:00 Building Secure Backends 2:30 Injection 4:50 Broken Authentication 6:43 Sensitive Data Exposure 11:00 XML External Entities (XXE) 13:45 Broken Access Control 17:00 Security Misconfiguration 19:00 XSS 22:45 Insecure Deserialization. 24:48 Using Components with Known Vulnerabilities. 26:00 Insufficient Logging & Monitoring. Resources Cards 2:50 SQL Injection 4:20 Best practices building REST 8:30 TLS playlist 15:00 HTTP Smuggling 19:22 XSS 25:10 OpenSSL Crash Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
April 7, 2021
Browser Caching best practices, when to use no-cache vs max-age without breaking your site
Caching is the hardest problem in building software, and having the browser cache is not any different. In this video, I'll discuss Jake Archibald's article 0:00 Intro 2:00 Pattern 1: Immutable content + long max-age 5:40 Pattern 2: Mutable content, always server-revalidated 8:00 max-age on mutable content is often the wrong choice 12:20 CDN and Caching Article
April 7, 2021
Write Amplification Explained in Backend Apps, Database Systems and SSDs
Write Amplification Is a phenomenon where the actual writes that physically happen are multiples of the actual writes desired. In this episode, I'll discuss 3 types of write amplifications and their effects on performance and lifetime of storage mediums. 0:00 intro 2:00 Application write amplification 4:30 Database write amplification 9:30 SSD Disk write amplification 16:00 SSD hates BTrees 20:00 summary Resources
April 5, 2021
DNS issue impacting multiple Microsoft services on April’s fool day (with Bonus content)
Microsoft Had an Outage on April 1st that is caused by DNS surge, let us discuss this. Bonus I’ll also discuss the outage that happened on March 18th cpu 100% utilization RCA - DNS issue impacting multiple Microsoft services (Tracking ID GVY5-TZZ) Summary of Impact: Between 21:21 UTC and 22:00 UTC on 1 Apr 2021, Azure DNS experienced a service availability issue. This resulted in customers being unable to resolve domain names for services they use, which resulted in intermittent failures accessing or managing Azure and Microsoft services. Due to the nature of DNS, the impact of the issue was observed across multiple regions. Recovery time varied by service, but the majority of services recovered by 22:30 UTC. 0:00 April/1st Outage - DNS Issue 13:30 March/18th Outage - CPU 100% RCA
April 4, 2021
My Python CRUD App hit 2 million rows, Should I Shard my Database?
Hey Hussein I have a 2 million row table used in my CRUD python app, I’m worried that as the table grow my inserts will slow down, should I consider sharding my database or partition the table? thank you I’m avid of simplicity in design if I can do it in one machine I’ll do it. Sharding/Partitioning are all great inserts are fast, queries are slow 0:00 inserts can be slow 3:00 indexes/stored procedures selects, updates, and deletes can be slow 12:00 add proper indexes. simplicity wins, premature optimization is bad 15:20 crazy things that people say like microservices day 1 scares me
April 3, 2021
cURL TLS 1.3 session ticket proxy host mixup Vulnerability
Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account. 4:00 http connect
March 31, 2021
PHP’s Source Code hacked - Two Remote Code execution added to the Git server, let us discuss
Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their server. The commits were found and reverted two hours after it was committed. PHP is moving to github as a result. Article
March 31, 2021
What happens when your Web Server Private Key is Leaked?
We have been told to take care of our private key that we use on backend servers without clear instructions as to what could happen when that key is leaked. In today’s backend engineering show I discuss exactly what could go wrong when your backend server private key is leaked. Let us discuss Intro 0:00 What is a Certificate? 1:10 Where is the Private Key used? 4:10 TLS 1.2 with RSA 4:20 Why RSA no longer used 9:00 TLS 1.3 & TLS 1.2 Digital Signature 12:00 How often should you recycle Private Keys 19:00 Resources
March 28, 2021
Researcher bypasses Azure, and Cloudflare Reverse Proxy Security - HTTP/2 Smuggling (h2c)
6 months ago, Jake Miller released a blog article and python tool describing H2C smuggling, or http2 over cleartext smuggling. By using an obscure feature of http2, an attacker could bypass authorization controls on reverse proxies.   Sean managed to leverage Jack’s original research to bypass reverse proxy rules, lets discuss  My original Video on Jack’s h2c smuggling This article
March 26, 2021
High severity flaw can crash your WebServer when using OpenSSL - Let us discuss
On Thursday, OpenSSL maintainers released a fix for two high severity vulnerabilities, let us discuss the impact. OpenSSL two major vulnerabilities 0:00 why OpenSSL 1:00 Bug 1 - Renegotiating TLS 1.2 (CVE-2021-3449) 3:50 Bug 2 - Cert verification bypass (CVE-2021-3450) 8:42 Update to OpenSSL 1.1.1k 12:30 Resources
March 26, 2021
When is NodeJS Single Threaded and when is it multi-Threaded?
Node JS Is single-threaded asynchronous non-blocking javascript runtime, but it's not always single-threaded there are occasions where nodejs uses multi-threading, so the questions we will try to answer in this video, when is nodejs single-threaded and when does it use multi-threading and how will that affect my app? Event Loop single thread, that really just loops for callbacks 0:00 Threading in Node jS (libuv) 4:00 used for IO/intensive DNS queries file system reads CPU intensive crypto compression process.env.UV_THREADPOOL_SIZE=1 Examples 8:00 Cluster Nodejs 16:00 Example 1 HTTP server return 1 HTTP server while 1 HTTP server with file system read async HTTP server with file system read sync HTTP server with fetch call to server (dns) Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
March 24, 2021
Slack's Migrating Millions of Websockets from HAProxy to Envoy, let's discuss
Slack started migrating from HAProxy to Envoy for their backend architecture, in this video, I’ll discuss their recent article when they moved the WebSockets portions, why they moved from HAProxy to Envoy and their production plans. Resources Article RFC8441 3:15 Websockets Crash Course 9:50 HAProxy Runtime API 20:00 Slack Jan 4th outage 23:00 RFC8441 Bootstrapping Websockets HTTP/2
March 21, 2021
Why WebSockets over HTTP/2 (RFC8441) is Critical for Effective Load Balancing and Backend Scaling
In this video, I'll discuss RFC8441 bootstrapping WebSockets with HTTP/2 which I believe a critical protocol to allow WebSockets tunneling to scale on the backend. We will also discuss the current state of the art of Proxy and Backend Supports for this tech. Let us have a discussion. 0:00 Intro 3:00 WebSockets over HTTP/2 7:40 Proxy Supports 13:15 Browsers Supports 14:00 Summary RFC 8441 Resources RFC8441 nginx support haproxy support Chrome support Firefox support envoy support Support my work on PayPal Become a Member on YouTube 🧑‍🏫 Courses I Teach
March 21, 2021
How HTTP Compression Leaks Sessions and JWT - CRIME Explained and how HPACK in HTTP/2 fixes this
In this video we will explore one of the most popular side attacks CRIME Compression Ratio Info-leak Made Easy) and the different ways to mitigate this.   Intro 0:00  * HTTP/1.1 SPDY header compression 4:00* TLS compression  * Response body attackers can’t inject 13:00  * Mitigations  14:10      * HPACK/QPACK      * TLS Padding
March 19, 2021
The Second Microsoft Global Outage in less than 6 months
On March 15, 2021, users couldn’t sign in to Microsoft services the majority of the impact was with teams but other services were affected. A similar outage happened back in Sep 2020 (I covered it here Microsoft 365 Service health status
March 16, 2021