WebAssembly has moved beyond web browsers and into edge computing as it makes its way toward the heart of cloud and enterprise data centers.

WebAssembly (Wasm), released by the World Wide Web Consortium (W3C) in 2017, is an assembly language designed to run application code inside web browsers. In 2019, W3C member Mozilla introduced a WebAssembly System Interface (WASI), which created a framework to let WebAssembly apps access operating system resources, setting the stage for WebAssembly to break out of the browser.

And break out of the browser it did. Such was the potential for the combination of WebAssembly and WASI that it prompted Docker founder Solomon Hykes to tweet in 2019, "If WASM+WASI existed in 2008, we wouldn't have needed to [create] Docker. That's how important it is. WebAssembly on the server is the future of computing."

Since then, WebAssembly has worked its way into cloud-native computing circles wherever developers want to run custom applications without direct access to the underlying infrastructure. Such environments include mobile and edge computing deployments, such as Content Delivery Networks (CDNs), where WebAssembly offers a lightweight way to move application processing closer to consumers and supports a range of processor types.

While it's still early days for WebAssembly and WASI, as 2022 begins, these concepts are beginning to garner awareness among mainstream IT pros. Despite their promise, however, WebAssembly and WASI also come with drawbacks: They require a separate­ set of still-maturing compiler toolchains that convert mainstream programming languages into compatible bytecode and may raise their own security concerns.

WebAssembly pros and cons Wasm proponents say it's inherently more secure than traditional application runtimes, citing the fact that WebAssembly code is "sandboxed," or limited in what memory resources it can access, by default. "One of the issues with software supply chain security is, I have an NPM package with 100 dependencies, and I have no idea if those 100 dependencies are sending data back to another server," said Michael Yuan, CEO of Second State, a startup that markets a commercial product based on the Cloud Native Computing Foundation's WasmEdge WebAssembly server-side project. "So, with WebAssembly, you can say, 'This module does not have network access, although it's deployed on a network machine.'" It feels a little bit like going back to how you built software 15 years ago -- once the toolchain's running, it's fine, but most people are not interested in going through all the hassle of setting that up. Fintan RyanAnalyst, Gartner However, while WebAssembly's sandboxing protects against some forms of attack, it remains open to others that have been effectively mitigated for other codebases. "The sandboxed memory that makes it almost impossible for WebAssembly to touch what is outside also makes it harder for the operating system to prevent bad things from happening inside," reads a Linux Foundation blog post from March 2021 (italics in the original). "Traditional memory monitoring mechanisms like 'stack canaries,' which notice if some code tries to mess with objects that it should not touch, cannot work there." Another potential pitfall for Wasm/WASI is a relative lack of maturity among compiler tools and toolchains compared to the DevOps pipelines IT pros have become accustomed to over the last five years, according to Fintan Ryan, an analyst at Gartner. "It doesn't have the sleekness that a lot of other environments have," Ryan said. "There's a lot of work happening there, but it feels a little bit like going back to how you built software 15 years ago -- once the toolchain's running, it's fine, but most people are not interested in going through all the hassle of setting that up."