DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Arpit Mohan
Arpit Mohan

Posted on • Originally published at insnippets.com

Serverless: hidden costs, lock-in fears & security best practices

TL;DR style notes from articles I read today.

The hidden costs of serverless

  • API Gateways tend to be a huge chunk of your serverless costs when you connect to a lot of APIs.
  • The switch to serverless may not be worth it if data storage and networking are the largest chunks of your application’s costs.
  • Two unknown costs of moving to serverless come in the shape of code maintenance and cold starts.
  • Assess the cost of extra code maintenance and the extra time spent switching to serverless.
  • Look for the pricing advantages of serverless providers that suit you best.
  • Utilize the free tiers from vendors. Sometimes they will be enough for you to run smaller workloads.

Full post here, 6 mins read


Mitigating serverless lock-in fears


  • Think lock-in cost = migration cost - opportunity gain from the migration. Maximize opportunity gain and minimize migration costs.
  • To maximize opportunity gain, deploy existing tools such as serverless framework, apex, claudia.js & be as cloud-native as possible using the backend service provided by your cloud vendor.
  • To minimize migration costs, choose a programming language that's supported by multiple vendors.Β Separate application domain from the platform and invest in a good architecture pattern.Β 
  • Avoid integration tests heavily dependent on the cloud vendor and think of reusable abstractions instead.
  • Use standardized technology such as HTTP and SQL.Β 

Full post here, 6 mins read


9 serverless security best practices

  • Map your application - consider the data involved, its value and services that access it.
  • Keep using your WAF and API Gateway but apply perimeter security at the function level too.
  • Secure application dependencies to prevent new vulnerable packages from being used.
  • Look out for bad code that can trigger a self-inflicted denial-of-service attack from within your application.
  • Add tests for service configuration to CI/CD & PROD.
  • Make FaaS containers refresh to limit the lifetime of function instances.

Full post here, 4 mins read


Get these notes directly to your inbox every weekday by signing up for my newsletter, in.snippets(), here.

Top comments (0)

Join us at DEV
Yes, this is technically an β€œad”, but really we just want to ask if you want to join DEV. We have 900k+ developers reading, posting, and enjoying community, and would love to have you. Β  Create an account and continue your coding journey.