Mahdi Azarboon

@azarboon

Worrying and promising signals from serverless community (of Germany?)

Recently, I attended AWS Community Days in Frankfurt — Serverless Computing track, while I was one of its speakers. Having 400 attendees, it’s the biggest AWS community event in Germany. Even though not a definite indicator, but it can reflect skill level of serverless community in the region. I would like to share my assessment about Germany’s serverless community’s level with you. Some of them are good (indicated as “promising”) and some of them require attention (indicated as “worrying”). Here is table of content:

  1. Signals
  2. Overall assessment
  3. So, how to improve?
  4. Acknowledgement
  5. Disclaimer

Signals

1. Users have totally ignored security (worrying)

During my talk about serverless DevSecOps, I had a live demo and hacked a serverless function. I was impressed by the number of audience who were impressed by the demo. Many clearly admitted that had no idea how vulnerable and dangerous a serverless function can be. It’s really worrying that majority of users have completely neglected security and are in the assumption that serverless is an all-secure gift from heaven.

AWS team and community should do more work to educate users about the risks and defensive actions. Personally, I’m more determined to address serverless security during my next conferences.

2. DevOps is finding its way (promising)

There were two talks (including mine) addressing serverless DevOps. This is a promising point and shows that serverless community is going toward DevOps way. However, based on questions asked by audience, I would say that they haven’t practiced DevOps that much, yet.

There is need to educate serverless community on how to perform DevOps properly, preferably in a vendor-agnostic way. It’s getting very common to practice multi-clouding, so vendor lock-in DevOps solutions aren’t the best options.

3. Serverless-based prototypes are on the rise (promising)

I was impressed to see the number of serverless-based prototypes and experimental projects demonstrated in the event. As an example, Olalekan Elesin explained how he could assemble an image-based product search, within just three days (without any prior knowledge) and without any need for deep learning, etc. His serverless app was using AWS Rekogniton.

Many SMEs and big corporations demonstrated their prototypes, and all demonstrations that I visited, used AWS Lambda as part of their architecture. Thanks to AWS’ huge offerings, it’s now possible to develop cool, handy applications in minimum amount of time.

4. Observability is the missing key (worrying)

There wasn’t any topic about observability, and unfortunately observability was rarely & briefly mentioned during talks and Q&As. This worries me a lot. To explain, it’s really dangerous to keep promoting distributed apps (especially serverless-based) without educating & empowering developers on how to maintain (observe) them.

Cloud enthusiasts should know that observability is a must for their apps, otherwise their super cool app can lead them to catastrophe.

5. AWS SAR; the undiscovered treasure (worrying)

Aleksandar Simovic shared his interesting presentation about usage of AWS Serverless Application Repository (SAR) for production ready applications. “There is a lot of repetitive pattern in serverless architectures. So why not reuse others works?” This is the whole idea behind SAR. With that, you can speed up your project deliveries while taking advantage of others’ know-how. However, there can be many cases where components are not tested properly, or have security vulnerabilities. So before using any component, you should carefully analyse and test it against potential security, performance and technical issues.

What worries me is that very few of the audience ever heard of SAR, despite its great potentialities.

Overall assessment

Based on presentations offered & questions asked in the serverless track, I would assess audience’s skill at level 200 (There were 2 presentations at level 300, however audience question was at 200). Here, you can see definitions of Microsoft’s Standard Level Definitions (100 to 400)

This was my first time attending AWS Community Days. I don’t know how the level in other countries is. So, it would be nice if you share your opinion.

So, how to improve?

AWS offerings are amazing. While trying to keep its leading position in the market, it should also put more effort on educating the community to (properly) use the existing offerings.

  • AWS team has done a great job educating community to creation & innovate with Lambda. However, they should (equally?) educate community on serverless ecosystem, especially on observability, security and SAR. For example, at this time, I can hardly find any good tutorial on how to design process and properly combine components in AWS SAR.
  • There can be a dedicated section on AWS Lambda documentation about security. Meanwhile, evangelists can show the importance of serverless security. At the moment, security is dispersedly mentioned in the doc. This way, majority of users don’t bother about security. Users should see how catastrophic a vulnerable function can be, otherwise they don’t take security seriously.
  • Lambda environment can incorporate some security measurements by default. Protego Labs and PureSec are offering free security toolkits that can do some basic protections. Lambda team can have similar measurements.
  • AWS Community can organise such events more frequently. Meanwhile, they need to aim on educating community on proper usage of services, too, and not just aiming on showcasing cool apps.

Of course, this is just my opinion. If you have some other suggestions to improve serverless community’s level, or have any other comment about my article, please feel free to share here.

Thanks for your time and reading this.

Acknowledgement

I would like to have special thanks to community volunteers as well as Amazon’s team for organising such a good event. They coordinated the whole program, well. Also, I would like to thank them for accepting me as a speaker.

Disclaimer

  1. This article is just my personal opinion.
  2. Serverless track had nine talks, in total. Few of them were held in German and I didn’t listen to them. However, reading their slides/descriptions, I have already addressed them.

More by Mahdi Azarboon

Topics of interest

More Related Stories