Jeffconf today was excellent, but the talk that really stuck with me was Guy Podjarny, founder of Snyk, because he introduced an idea I had never considered before. At RedMonk we spend a fair bit of time discussing the power of convenience in technology adoption, but also its potential costs and downsides. As a metaphor think of how absurdly convenient plastic packaging is, but also how damaging.
So what happens in the serverless economy, where you don’t need to pay for a function until it is actually used? Well for one thing, just like plastic bottles, you’re less likely to dispose of them effectively. In microservices we talk about disposability as a virtue, but with serverless it’s so easy to deploy code, why bother getting rid of it? When it comes to security though, poor code hygiene essentially leads to bigger attack surfaces, which is A Bad Thing.
“With serverless there is zero cost to deploying functions, so you deploy everything. Say a cron job. That is awesome, but also false from a security perspective. i am most concerned about this explosion of attack surface.Make sure you know what is disposable, and dispose of it.”
Snyk is all about understanding vulnerabilities in your source code, looking at dependencies and attack vectors. It turns out that serverless, by the very fact of it’s convenience and low cost model, may lead to laziness, and poor security. If you’re not worried about paying for your cruft, in terms of compute and storage, then why bother cleaning up after yourself?
This fact could be an Achilles heel for serverless implementations. Business and government have been surprisingly accepting of security breaches, but that seems to be changing, with regulations like GDPR coming over the horizon. Just because serverless looks cheap at first sight, doesn’t mean it might not be expensive in the long run. Definitely food for thought.
More on Jeffconf from me next week, but the Snyk talk was really good.