Serverless apps take data from an input, pass it through one or more proper workloads, and then direct the output to a destination. In and of themselves, serverless apps don’t generally process data. They just act as a programmable conveyor belt, shuttling the data from one location to the next. This means lifespans are no longer measured in minutes or hours, but in fractions of a second. The upshot being that security tools used to monitor the previous generations of virtualisation technology no longer cut it.

Driven by the rise in the adoption of microservices, serverless apps offer a huge degree of flexibility. Unfortunately, greater flexibility means more opportunity for attackers and would-be perpetrators to break in.

The increasing attack surface

While serverless apps enable greater granularity, such as faster billing for services, they are vulnerable to attacks exploiting privilege escalation and application dependencies. And since serverless applications are typically small, discrete functions, there’s also more data transferred across networks, another potential attack vector. The threat of brute-force denial of service attacks, in which the serverless architecture fails to scale and incurs expensive service disruptions, remains prevalent.

A recent study by PureSec found more than 20% of open-source serverless apps contain critical security vulnerabilities. Its report found 21% (of 1,000) of open-source serverless projects contained one or more critical vulnerabilities or misconfigurations, which could allow attackers to manipulate the application and perform various malicious actions. About 6% of the projects even had application secrets, such as application programming interface (API) keys or credentials, posted in their publicly accessible code repositories.

The identity crisis

Serverless apps are particularly susceptible to identity compromises. They’re acutely tied into identity and access permissions on the cloud provider side. Companies using serverless applications focus on the least privilege model to help secure them. All the major cloud providers have a serverless offering. With Amazon, it’s AWS Lambda. Microsoft has Azure Functions. Google and IBM both call it Cloud Functions. In a lot of cases, the exact implementation is not known – it might be a proprietary container forming at, but they’re taking care of the setup.

And that’s good, because the responsibility for the security of the serverless infrastructure, such as physical security, network security or operating system patches, falls on these huge and trusted brands. While patching is one of their core competencies, serverless does nothing to keep attackers away from data. If an attacker gains access to a businesses data through a vulnerability – leaked credentials, a compromised insider or by any other means – then serverless doesn’t help.

The application owner, however, is still completely responsible for application logic, code, data and application-layer configurations, ensuring they are secure, hardened and able to withstand attacks. Developers still have to be careful about how they write their code. If you write insecure code and put it in functions, a lot of the security problems still exist – SQL injections and similar attacks.

Trust in cloud

What all of this means is that customers have to put a lot more trust in their cloud providers. Having questions like, ‘how do you monitor the input and output in a function’, through to something as fundamental understanding how the provider is monitoring for malicious activities are completely understandable. Especially since a lot of the tools that would be deployed in an on-premise environment or a virtual machine are not in location. Ultimately, you’re trusting the provider to keep the underlying system secure.

For those not willing to put their faith in the big cloud vendors, there are on-premises alternatives. For example, IBM built its cloud functions service using the Apache OpenWhisk platform. Other options include Fission, IronFunctions, and Gestalt. As with other new technologies, there’s usually a delay before the security tools catch up.

Serverless applications aren’t for everyone. They make monitoring more difficult, while scaling and cost savings may be worth it for some developers, serverless apps come with higher test requirements and different monitoring strategies than traditional applications. That said, they open a lot of benefits to many DevOps environments. The scalability, cost-effectiveness, and compatibility with existing cloud applications are all unparalleled. Despite those benefits, there are still very serious security concerns and practices to be aware of and deploy.

Written by Antony Edwards, CTO, Eggplant

The post Just how secure are serverless apps? appeared first on DevOps Online North America.

The company is based on the core developer technology, git, which gives developers a chance to work on the same software at the same time.

The funds will help GitLab grow its DevOps software business by building products that move it beyond simply serving as a place for companies to host their code repositories.

GitLab offers a continuous integration product, and plans to care more streamline tools, helping manage the process of putting code into production and maintaining it.

The leading integrated product for modern software development has recently started to become popular in the developer space.

According to Business Insider, GitLab “boasts” that it controls two-thirds of the market for “self-hosted git.”

Written by Leah Alger

The post GitLab raises US$20million in venture capital funding appeared first on DevOps Online North America.

The headset will be connected by a 60Mbps broadband connection, providing access to VR content from Viveport, HTC’s VR platform.

In a bid to improve overall user experience, sorting VR content in the cloud means consumers will no longer need to wait for downloads or use PCs.

The new system addresses VR headset adoption, although high-end VR devices like the HTC Vive or Oculus Rift still need to be powered by a compatible PC.

Written by Leah Alger

The post HTC tests cloud VR through partnership appeared first on DevOps Online North America.

The two-week camp will take place for the fifth year running at Queen’s University, Belfast, between 24^th July-4^th August 2017. Attendees must be tech-orientated individuals, aged between 14-18.

With help from Kainos professional software engineers, and guest speakers offering career advice, students will have the chance to boost their coding skills and professional and business skills, with tech-based activities including Raspberry Pi tutorials and VR/AR demonstrations.

“We are really delighted to have this opportunity again to host and support Kainos through CodeCamp. We see this and other outreach activities as helping us to get young people enthused and excited about coding,” said Dr Phil Hanna, Director of Education at the School of Electronics, Electrical Engineering and Computer Science at Queen’s University.

“Through CodeCamp we have seen many young people take their first step towards computing at school and university, and from there to a rewarding career in the computing sector.”

Applications begin on May 3^rd 2017. Due to high demand, applicants must include a 250 word statement, specifying why they would like a place on the course, and how they feel that it would benefit them. Students can apply here: www.kainos.com/codecamp.

Edited from press release by Leah Alger

The post Tech summer camp encourages teens into IT appeared first on DevOps Online North America.