DEV Community

Arpit Mohan
Arpit Mohan

Posted on • Originally published at

Serverless: hidden costs, lock-in fears & security best practices

TL;DR style notes from articles I read today.

The hidden costs of serverless

  • API Gateways tend to be a huge chunk of your serverless costs when you connect to a lot of APIs.
  • The switch to serverless may not be worth it if data storage and networking are the largest chunks of your application’s costs.
  • Two unknown costs of moving to serverless come in the shape of code maintenance and cold starts.
  • Assess the cost of extra code maintenance and the extra time spent switching to serverless.
  • Look for the pricing advantages of serverless providers that suit you best.
  • Utilize the free tiers from vendors. Sometimes they will be enough for you to run smaller workloads.

Full post here, 6 mins read

Mitigating serverless lock-in fears

  • Think lock-in cost = migration cost - opportunity gain from the migration. Maximize opportunity gain and minimize migration costs.
  • To maximize opportunity gain, deploy existing tools such as serverless framework, apex, claudia.js & be as cloud-native as possible using the backend service provided by your cloud vendor.
  • To minimize migration costs, choose a programming language that's supported by multiple vendors. Separate application domain from the platform and invest in a good architecture pattern. 
  • Avoid integration tests heavily dependent on the cloud vendor and think of reusable abstractions instead.
  • Use standardized technology such as HTTP and SQL. 

Full post here, 6 mins read

9 serverless security best practices

  • Map your application - consider the data involved, its value and services that access it.
  • Keep using your WAF and API Gateway but apply perimeter security at the function level too.
  • Secure application dependencies to prevent new vulnerable packages from being used.
  • Look out for bad code that can trigger a self-inflicted denial-of-service attack from within your application.
  • Add tests for service configuration to CI/CD & PROD.
  • Make FaaS containers refresh to limit the lifetime of function instances.

Full post here, 4 mins read

Get these notes directly to your inbox every weekday by signing up for my newsletter, in.snippets(), here.

Discussion (0)