Recapping the Serverless Conference

This week we attended the Serverless Conference, which continues to grow and had over five hundred attendees. During the conference we observed three main themes: 1) security, 2) operational tooling, and 3) blockchain.

Security remains a concern. In public cloud managed serverless environments, developers can take advantage of the shared responsibility model. AWS works diligently to ensure infrastructure layers below the application layer are secure. Having best of breed security practitioners design and manage the infrastructure is often an improvement for businesses that may not be able to hire and maintain security experts. Third parties audit and certify public cloud’s security posture and processes giving customers confidence.

While cloud providers take on much security responsibility, internal teams must still consider serverless security. Marc Nunnikhoven of Trend Micro suggests that serverless security comprises of three parts: 1) functions, 2) service selection, and 3) data flow. Function security includes code quality and dependencies. For service selection, Marc advised that businesses pick the services that have been certified safe by third parties. For example, health care businesses subject to HIPAA should check that the service meets HIPAA requirements. Finally, data flow security focuses on visibility and assurance (e.g. encryption). While not directly addressed during Marc’s talk, we also often hear that service-to-service IAM is important to decrease the potential attack surface. There are a few start-ups trying to address serverless security like Intrinsic.

Operational tooling helps adoption. Since the last North American Serverless Conference we’ve seen an increase in the number of tools to help developers build function-based applications. Our Serverless Cloud Native Landscape highlights 23 solutions to ease serverless adoption. During the conference, speakers emphasized the need for testing, debugging, and observability solutions. The emphasize around tooling highlights that adoption continues to expand beyond the bleeding edge users to those who hope to use functions for more critical services.

From an operations perspective, cold starts continue to be a problem. Practitioners implement “uptime pingers” to keep the function warm to decrease cold start times. Importantly, as serverless becomes more popular pingers become less useful. AWS Lambda rotates out less active instances to keep up with overall demand. If many developers use the platform, some of the functions will be rotated out causing the need to increase the frequency of pingers, which become less powerful because Lambda is resource constrained and must service increased demand. Pingers’ value decreases if you have many functions or dynamically scaling. AWS and startup Binaris are working to improve the cold start problem.

Blockchain+serverless buzzword bonanza. A few speakers spoke of the similarities between serverless and blockchain including being highly distributed, event-driven, fault-tolerant, and idempotent. A speaker spoke about how ledgers can be built on top of serverless, and Manifold recently launched a similar blockchain auditability service. Blockchain solutions like Dragonchain and Wireline also use serverless on their backend.

The expanded audience of the Serverless Conference highlights that the market and ecosystem are maturing. It is encouraging to see discussions around security and operational tooling as well as new applications like blockchain.