Takeaways from the ServerlessConf SF 2018

Erez Berkner
Aug 12, 2018 · 6 min read

By Erez Berkner, CEO & Co-Founder of Lumigo

Image for post
Image for post

Last week I attended ServerlessConf SF. This was the 8th and largest ServerlessConf to date with more than 550 attendees.

The conference had an effective agenda with a strong slate of talks and an impressive presence of community thought leaders.

Kudos to the ACloudGuru team for organizing the event!

The conference is proof for how serverless is maturing, examining material concepts of the technology and its side effects

Focus was given to serverless as a system and not just a bunch of functions, especially when it comes to visibility, traceability and security.

The state of serverless security, SW lifecycle and costs were also discussed in detail with interesting insights and predictions.

Here are my key takeaways from the conference, including serverless tips, predictions and actionable recommendations for building a well-architected serverless applications:

It’s Not Just About Functions!

Serverless is more than just Function as a Service (FaaS). Mark Nunnikhoven described the serverless ingredients: functions, managed services and data flow. When you are adopting serverless, you are, by definition, giving up on some control and visibility.

Image for post
Image for post

Ben Kehoe suggested keeping tabs on the entire serverless execution flow in your organization, as it changes overtime.

Simon Wardley used his famous strategic planning tool, Wardley Maps, to analyze the key evolutionary steps which led to serverless.
He later made a great observation which may very well turn out to be a game changer:

Image for post
Image for post

Serverless Myths and Predictions

Some worthy-to-mention predictions and myth refutations were heard from some of the industry’s top influencers:

Ben Kehoe (iRobot) gave an exciting talk focusing on upgrades, and shared the following observations:

  • Serverless upgrades are lacking overall upgrade process visibility, especially with gradual canary upgrades.
  • System-wide canary upgrades are not in-sync across services, which can lead to mixed flows (such as a blue API implementation leading to a green function). Permission policies further complicate the situation.
  • Currently, in order to avoid this problem, we need to create a duplicated version of all components-chain between the upgraded services, and then propagate the Blue/Green states through all those components.
Image for post
Image for post

Tim Wagner provided interesting predictions:

Mark Nunnikhoven gave his angle on the subject of serverless security:

  • Serverless is more secure than server-based due to the following reasons: Cloud Service Provider (CSP) competency; more granular access control; automatic auditing; no server affinity; time limitations; and frequent restarts.
  • Traditional perimeter security is not a good fit for serverless which requires a more granular security paradigm.
  • While some decent solutions for FaaS are emerging, security solutions for managed services are still not to be found.
  • PLEASE, PLEASE, DO NOT WRITE YOUR OWN SANITIZATION LIBRARY!

Actionable Tips: Serverless Dos and Don’ts

Chris Munns’ shared a lot of valuable serverless development tips:

  • Beware of code vulnerabilities in external dependencies.
  • Don’t put static secretes in your code. Don’t put them unencrypted in your environment variables. Either encrypt them, use parameter stores or secrets manager.
  • Event parsing: use existing libraries to parse the event object to make sure you get what you expect.
  • The security benefits of putting the Lambda within the VPC are negligible.
  • Turn on CloudTrail, Config and CloudTrail events — they cost extra dollars, but they will save you in the long run.
  • If your functions don’t share an event source — put them in two different repos.
  • If your functions do share an event source, but have completely different flows — divide them into two separate lambdas (allowing better performance, security and manageability).

Rob Gruhl presented a how-to-build-your-serverless-architecture-to-scale guide. His tips included the following:

  • Make sure your components are idempotent — events and replies will get lost and retries will happen.
  • Beware of retry storms during high loads / throttling.
  • Avoid recursive lambda invocations.
  • Implement apoptosis mechanisms.
  • Understand when you might break the abstraction layer of your cloud provider and have monitoring tools to identify when you reach those limits (such as a number of buckets; data layer limitations; functions concurrency; and network capacity).

The Rapid Growth of Serverless

ServerlessConf allowed participants to hear first-hand several exciting serverless early-adopter stories. These can give a peek into how modern cloud architectures will look like in the near future.

Rob Gruhl covered the monstrous serverless footprint at Nordstrom:

  • 100+ serverless-based apps in production (significant amount of them are customer-facing).
  • 200M+ invocations per day.
  • More than 5K unique functions.
  • More than half of all dev teams are using serverless.
  • They are serverless and/or Kubernetes first (dev teams can choose what best suits their app).
  • Developers survey showed a 91% satisfaction rate from serverless with a Net Promoter Score of 55!
  • ServerlessArtillary — a salable load tests tool using Headless Chrome.
Image for post
Image for post

Jason Katzer described how Capital One continues its amazing journey to transfer their eight huge on-premise data centers to pure cloud. He explained how they architect serverless environments which scale (100M invocations each hour!) while Kapil Thangavelu elaborated on how the popular cloud custodian open source tool uses serverless to enforce policies across clouds.

Joe Emison, CTO of Branch, gave a brilliant talk on serverless architectures, presented a great usage pattern for AWS AppSync and stressed that you should avoid writing code when you can and that you should “get rid of backend functions” in general.

Sam Kroonenburg outlined ACloudGuru’s impressive serverless journey, reassured that the company is pure serverless and highlighted serverless community resources such as Serverless Zone, The New Stack, and Serverless Slack Channel.

Observability + Serverless = Observerless

Corey Quinn gave a hilarious session, as always, and coined the term #Observerless: the hottest new thing in monitoring you’re already doing (check out Observerless.com)

Rumor has it that #GoObserverlessDays 2019 is on its way. The time is Meow! :)

Image for post
Image for post

Tel-Aviv — The New Serverless Capital

At last, and as a member of the Tel-Aviv startup scene, I have to say that the number of Tel-Aviv based serverless companies participating in ServerlessConf SF was astonishing. From serverless engines (Iguazio, Binaris, Spotinst, vFunctions) through visibility and troubleshooting (Lumigo and Epsagon), production debugging (Rookout) to Security (PureSec) — the serverless startup community in Tel-Aviv is definitely thriving! : )

***

These are my key impressions from the ServerlessConf SF 2018, see you all again in the next serverless conference!

Lumigo

Monitor & Debug Serverless Applications

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store