Cloud-native development models are quickly entering the mainstream, and serverless computing is at the forefront of this trend. Like other aspects of digital transformation, this trend has been accelerating over the past two years as the way that brands interact with their customers underwent a sea change. Contrast’s new State of Serverless Application Security Report highlights how enterprises are taking advantage of serverless computing to improve their business agility and enhance the customer experience.
The report is based on a survey of 250 DevOps, security, and cloud architecture professionals based in 24 countries around the world. They represent organizations with more than 5,000 employees in a wide variety of industries. A vast majority of respondents say that their organizations employ more than 3,000 software engineers and maintain more than 500 applications.
DX INVESTMENTS ARE INCREASING
Our research confirms that budgeting for digital transformation (DX) continues to grow at many organizations. Six in 10 respondents reported that DX-related investments in application development increased in 2021, and 42% said that this budget grew more than 10% from 2020 to 2021. This is especially notable since the same budget line item increased in 2020 at many organizations due to changes brought about by COVID-19, potentially creating a high baseline for 2021. The Asia-Pacific region leads the way in this trend, with 66% of organizations based there reporting an augmentation in development funding.
While the overall trend is upward, development budget increases were more common in some industries than others. Investments increased in a significant majority of technology, financial services, and manufacturing companies, but they actually decreased at most government, professional services, and retail/hospitality organizations. There may be several factors behind this, including inflated 2020 baselines and the wild gyrations in revenue for the three latter sectors of the economy in 2020-21. These trends underscore the fact that the economic impacts of the pandemic hit different industries unevenly.
SERVERLESS HITS CRITICAL MASS
Our research shows that these increased budgets are helping to move serverless technology firmly into the mainstream across all industries and geographies. While one 2019 survey found that just 40% of organizations had any serverless architecture at all, our research finds that, two years later, nearly all enterprises now have at least some serverless applications.
And adoption is deepening: 49% of respondents say that more than half their applications are serverless, including 66% of Asia-Pacific organizations and 73% of technology companies. A big majority (71%) of organizations now have six or more development teams creating serverless applications. These findings are consistent with other research that shows a 206% increase in average weekly invocations of serverless applications from 2019 to 2020.
When survey participants were asked to rank the reasons for embracing serverless applications, two stood out: scalability and the elimination of the need to maintain an application’s architecture. These benefits of serverless computing address two problems with traditional development that are related to each other. Maintaining servers—even virtual ones—requires significant staff time, presents risks like misconfiguration and server failure, and keeps some of a development team’s focus someplace other than delivering quality software. Plus, needing to maintain this infrastructure complicates scalability because of the need to upgrade physical or virtual servers as processing capacity increases.
AWS DOMINATES THE MARKETPLACE
Amazon Web Services (AWS) has dominated the serverless computing market since the introduction of AWS Lambda in 2015, the first complete service to enable a true serverless architecture. Eight in 10 respondents to our survey are Lambda users. Perhaps not surprisingly, organizations using AWS platforms are further along in serverless adoption than their peers that use services based on Microsoft Azure and Google Cloud Platform.
In our survey, nearly six in 10 (58%) AWS users say that three-quarters or more of their applications are serverless. In another sign of the speed of Lambda adoption, other research found that Lambda functions were invoked 3.5 times more often in early 2021 than in early 2019.
The dominance of AWS means that more respondents use that company’s cloud container services as well. AWS Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS) are in use at close to three-quarters of organizations (76% and 74%, respectively). Moreover, most users of those services (65% and 70% of the overall respondent pool, respectively) rank each AWS service among the two most important container services where they work. ECS is most prominent in the government, energy, and transportation sectors, while EKS is most favored in the technology and retail/hospitality verticals.
When it comes to programming languages, organizations tend to use several of them in their serverless applications, just as they do in their non-serverless ones. Python is by far the most commonly used language overall, with 79% of organizations adopting it, but Node.js, Java, .NET, and Golang are also used by a majority.
GREAT STRIDES IN SPEED AND EFFICIENCY
Our research highlights the quickly increasing adoption rate of serverless computing. Something that was still experimental at most organizations two years ago is now firmly in the mainstream. Organizations that are slow adopters of serverless applications are at a competitive disadvantage. For readers who are in the field, this probably comes as no surprise. Most software engineers undoubtedly know many colleagues who are working in serverless environments—if they are not doing so themselves.
It is clear why this is the case. The ability to build applications without worrying about the server infrastructure on which they reside is a huge advantage. It removes a complicated issue from the plate of the development team and puts it in the hands of the cloud service. It also brings other benefits:
- Better observability across the application. Because applications are broken into smaller functions, it is easier to troubleshoot and identify problems.
- Scalability. As with other cloud-based solutions, serverless architectures simplify the management of traffic fluctuations and eliminate the need for idle capacity on hand for peak usage.
- More focus on UX. At the end of the day, user experience is the most critical consideration for developers, and more focus can be directed here when the architecture is outsourced.
- Faster deployments. The ability to build software on a dynamic, scalable infrastructure enables yet another exponential improvement in the speed of development.
- Cost savings. Maintaining servers and databases is labor-intensive and often takes administrators away from more strategic tasks. While cost reductions may be smaller than advertised at the end of the day, serverless is a cost-effective solution.
- Green computing. Centralizing the server environment saves electricity and eliminates environmental risks posed by on-premises infrastructure.
INNOVATION BRINGS SECURITY CHALLENGES
Serverless computing has the potential to enable better application security as well. Unfortunately, as with many technological innovations, security protection for serverless environments has lagged behind serverless adoption at most organizations. We will discuss this further in another blog post, but suffice it to say that the typical company is protecting its serverless applications with a disconnected set of legacy tools that no longer work that well—even for applications on traditional infrastructure.
For serverless applications, these tools are even less effective. “No-edge blindness” resulting from functions that do not have a public-facing URL gives them poor visibility into serverless architectures. The abstraction of infrastructure, network, and servers proves confusing for traditional tools and contributes to a false-positive rate that can exceed 85%. Legacy tools simply lack the context to do adequate analysis.
The good news is that there is another option. Contrast Serverless Application Security is a purpose-built tool for serverless application security testing that is both fast and accurate. Contrast’s developer-friendly approach to serverless application security testing includes pipeline-native autonomy and automation. Organizations gain complete security visibility for AWS Lambda functions with near-zero false positives. Read more in the blog post, “State of Serverless Application Security Report Exposes Gaps in the Speed of Innovation.”
Report: Outlook of Serverless Application Security Report: Here
Inside AppSec Podcast: Key Takeaways From a New Serverless Application Security Report: Here
Webinar: Assessing the Current and Future Outlook of Serverless Application Security: Here
Blog: State of Serverless Application Security Report Exposes Gaps in the Speed of Innovation: Here
Blog: Contrast Delivers Developer-friendly Security for Serverless Applications: Here
White Paper: Quickly and Easily Scale and Secure Your Serverless Application Security: Here