Becoming Componentized: Excitement Brewing Around the Future of WebAssembly

At Kubecon + Cloudnativecon 2023, I was struck by the passion and excitement surrounding WebAssembly (abbreviated as Wasm). Although I have been vaguely familiar with the technology for some time, I sense the tech industry is finally waking up to how revolutionary it truly is.

I was told Wasm would forever change the way software is built. I was told it enables portability, language-agnosticism, cloud-agnosticism and bank-grade security isolation. So, were these people drinking some Wasm-flavored Kool-Aid, or were they for real? There is often this sort of hype in tech, so I wanted to get to the bottom of it.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

I went on to interview a handful of experts at the event — essentially, anyone I could find involved in Wasm in any way. I sat in on sessions and talked to lead maintainers working on a Wasm runtime. I spoke with two developers who had been banging their heads against the wall trying to complete a protocol to enable the creation of Wasm component registries. Another Wasm evangelist described how Wasm brings us closer to the original fundamental ideals of 20th-century software engineering theorists.

Wasm is hopping out of the browser, too — Sony reps showed me how they just put Wasm on a chip to help run AI on the edge. I was also told that the next generation of Wasm, WASI and the Component Model, all ongoing efforts, will be extremely intriguing, enabling far more portability and providing greater extensibility.

I sense a lot of growth potential in this area. And the excitement around Wasm feels like other movements right before they hit the mainstream. However, there is still a lack of awareness around fundamental Wasm concepts, and some technical roadblocks prevent more widespread adoption.

So, in this post, I’ll attempt to break it all down. We’ll check in with some of Wasm’s most ardent supporters working diligently to bring it to the masses. We’ll review the benefits of Wasm in general and analyze some of the hangups. We’ll gauge the current state of things and consider what the future holds for the burgeoning “componentized” ecosystem.

Quick Overview of WebAssembly (Wasm)

For those unfamiliar, WebAssembly (Wasm) is a binary instruction format and portable compilation target for many high-level programming languages. In other words, you can take your C, C++, Rust or Go code and bundle it into a portable module for reuse in a web application. Wasm has been heralded as the fourth web fundamental and is an open standard officially supported by W3C.

Some other important projects to note: Wasmcloud, a CNCF project, offers a framework to build distributed applications composed of Wasm modules. And the WebAssembly System Interface (WASI) (pronounced like ‘wazzy’) is currently being standardized as a system interface to help bring WebAssembly out of the web browser into other environments. Most people involved in Wasm view WASI in a positive light for pushing the effort forward.

Benefits of Using Wasm

A big benefit of using Wasm is that you can build applications in any language and run them anywhere. So, portability is a big plus. Wasm is generally more performant than JavaScript, given that it is a binary format compiled ahead of time instead of using just-in-time compilation.

Some of the other big benefits of Wasm are its polyglot nature, its portability, its small binary footprint and how it can be isolated, enhancing its security, said Bailey Hayes, CTO at Cosmonic. It also helps you “scale down to zero,” potentially delivering energy and cost optimizations.

Due to its isolated nature, Wasm brings security benefits that can help support a zero-trust model. According to Kelly Shortridge, senior principal engineer, Fastly, the Wasm isolation model is good for safety as it allows you to decompose apps into a modular architecture, calling it “modularity without microservices.”

State of Wasm Adoption

Interest in Wasm has been steadily increasing over the years, but we have yet to reach the tipping point. According to Lin Sun, head of open source, Solo.io, we’re still in the early stages with a relatively small set of early adopters.

A fairly small core base of maintainers is behind the frameworks, plugins and runtimes that comprise the Wasm ecosystem. And while there have been significant uses of Wasm in production, most of the adopters of WebAssembly seem to be vendors.

Yet, development is ongoing. Wasm has grown out of the web browser — The State of WebAssembly 2023 listed web applications, data visualization, IoT, AI and gaming as top environments. And the ecosystem is beginning to support more languages, too — for example, Wasmcloud recently announced support for Go. Major companies are using Wasm in production, and the WebAssembly Canvas project has demonstrated further use cases.

The Next Generation of Wasm

The upcoming, well-anticipated evolution of Wasm will center around the WebAssembly Component Model, which wraps a Wasm module, enabling you to compose multiple components together.

“It’s going to change the world,” said Hayes. According to Hayes, this next generation will enable a componentized ecosystem of regulatory-safe modules that focus on business logic and avoid the pain of managing unnecessary dependencies.

Speaking from years of experience working in cloud-native dependency hell, determining long-term support for third-party libraries and open source software can be a frustrating challenge, she said. “The human time spent during the churn that you do all the time is annoying and not what you want to be working on,” said Hayes. “The reality is, we need to change how we build software.” She views Wasmcloud as a significant strategy to streamline non-functional requirements.

Many organizations have moved to microservices architectures, yet the more you split things up, the more overhead there is. Therefore, WASM is changing the way we build software because it provides a singular unit of compute that can run on any device in the world, said Hayes. This can unite siloed development teams using disparate frameworks and different languages and avoid re-implementing efforts so they can “finally start to focus on what matters.” The component model will be the glue for a new “componentized” ecosystem, she predicts.

What the Component Model Will Enable

“The Component Model will do for cloud-native what POSIX did for operating systems last century,” said Vance Shipley, CEO & founder, SigScale. “It will be possible to compose applications from independent software components without regard to the implementation of either the code or the platform.”

Shortridge calls the component model “the app platform of our hopes and dreams,” believing it can get us closer to the old dream of software-integrated circuits. Similar to how the industry revolution brought in interchangeable parts, the component model could enable reusable software components, like Lego blocks, that are easier to build and distribute.

“The Component Model is the biggest thing emerging, a lot of effort is going into that,” said Shortridge. “It will bring better performance, security and polyglot applications that use any language to compose systems. This can make your software more interchangeable.”

“It takes time to get standards passed and people to agree on things,” said Ryan Petrich, SVP at Two Sigma. Yet, he’s noticed early adopter groups becoming enamored with the component model. “People really like the isolation capability and the ability to deploy anywhere,” he said. It could also offer the ability to enforce fine-grained isolation and reduce the threat of breaking changes, he said.

General Hangups Around Wasm

Yet, with all this excitement, there are a handful of difficulties surrounding Wasm, leaving many developers unconvinced. The aforementioned CNCF report found debugging and troubleshooting, as well as inconsistent performances and developer experiences between runtimes, to be some of the most common complaints. In fact, 22% of developers are pessimistic about its future.

Hayes acknowledged the potential downsides of Wasm, noting potential limitations with integrating external databases and potential performance issues compared to native speed. However, she suggests these challenges can be addressed with strongly typed interfaces and clear contracts.

According to Shortridge, there is much to be improved on the developer experience side of things. However, solutions are materializing in abstraction frameworks that wrap Wasm, so developers don’t have to worry about the underlying framework. And, the component model will make it easier to abstract the underlying Wasm, she said.

“There’s a lot of potential for Wasm to overtake JavaScript in empowering the web,” said Max Bruce, co-founder of LeakSignal. He also sees much potential for using Wasm in the web around rendering.

Yet, according to Bruce, a big hangup has to do with multi-threading and memory handling. “A real big crux of all this is the multi-threading aspect, which is holding us back.” The Wasm memory model presents some challenges when working with large amounts of data and, specifically, presents limitations when handling large buffers in multi-threaded WebAssembly applications.

Of course, a lot of this hinges on the specific runtime and environment in use, but it has diminished his faith in utilizing Wasm within certain use cases. Others in the community see the potential for newer platforms to alleviate these concerns.

“Future platforms shall leverage CXL memory sharing to build data center size universal computers for truly limitless composition, without the overheads of network protocols,” said Shipley.

Furthermore, interest in extending the Envoy Proxy with Wasm has appeared to wane, likely due to a lack of ownership around who could take on the work of writing SDKs and plugins, theorized Bruce. For him, part of this had to do with a lack of documentation and project stability around proxy-wasm.

Is Wasm the Next Big Thing?

Wasm is a transformative technology that has the potential to change the way software is built and deployed. “It feels like 2010 did for Docker and containers — no one was really doing stuff yet, and businesses weren’t ready to buy in,” said Hayes. But, she anticipates the ‘lightbulb’ moment to come very soon. “This is the next thing — this is going to happen.”

Wasm could especially benefit large platform providers, noted Hayes, who might find their containers are too clunky for massively multitenant scenarios. But will Wasm become the default thing to deploy everything into? Is it the new container default?

“I think so,” answered Shortridge. “You can run everywhere, on the edge, in the cloud. That flexibility is powerful in terms of how you build and assemble apps. It’s a different level for portability.” She also foresees it potentially disrupting current security practices. “There’s a bunch of things Wasm could make obsolete in cybersecurity.”

With the anticipated Component Model, use cases are likely to expand. It’s hard to pinpoint when the next iteration will reach general availability, but the community sentiment seems to peg it for some time in 2024. For the time being, Wasm may be a niche technology, but I’ll be keeping a close eye on this area as it expands.