Building applications in the cloud isn't just about virtual machines and containers — it's also about enabling serverless models of application workflows.
On April 14, Stackery announced a major update to its namesake serverless cloud platform that addresses development, deployment and security challenges its customers are facing. Serverless is a different model for cloud in that it enables an event-driven functions-as-a-service approach for application workflows. Instead of needing a long-running virtual machine or container, a serverless function only runs when needed. The benefits of serverless include lower costs and more agility, but since it's a different way of building an application, existing security and development systems might not be properly aligned.
"With serverless, you have many different types of resources that you're piecing together. The most common one that people talk about are functions," Chase Douglas, co-founder and CTO of Stackery, told ITPro Today. "Even for organizations that have already started using containers and microservices, they might not have decomposed the workflow as far down as what happens in serverless, where you might have individual functions defined for each route of an API."
Stackery Introducing CI/CD for Serverless Capabilities
With modern DevOps development practices, organizations make use of continuous integration/continuous deployment (CI/CD) systems as part of the workflow. Stackery, with its update, is now providing its users with the capability to integrate serverless application development and deployment with CI/CD.
The new CI/CD capabilities in Stackery are based on what is commonly referred to as a GitOps workflow, Douglas said. As a serverless application stack is being built, the developer pushes changes to their Git code version-control provider of choice, such as GitHub, GitLab or Bitbucket. The next step usually is to create a pull request inside of the Git provider, which will then trigger Stackery to run a sequence of steps in parallel. The steps include analyzing the source code and identifying all the functions. Code checking is then executed with runtime-specific tools that can help identify security and safety issues.
"It will also provision a temporary sandbox environment just for the purposes of running integration tests that you've defined," Douglas said. "Lastly, it will provision a preview environment of the deployment, giving you an opportunity to evaluate your changes or potentially collaborate with others on your team who also can play with that preview deployment."
Serverless Cloud Security
Ensuring proper security for serverless cloud application deployments is another key challenge that Stackery is addressing in its platform update. A big issue with any type of cloud application is making sure that the application or service doesn't have too many permissions, which could potentially lead to a broad attack.
As a user is designing and developing an application in Stackery, there is a drag and drop canvas for connecting different resources, according to Douglas. With the new platform update, the permissions to connect different resources is scoped to provide only what is required to execute the function.
"So if in the worst case, there was a security vulnerability inside one of your functions and it had a mechanism to access one of your DynamoDB database tables, then the scope of that security intrusion is limited just to that one table and cannot progress further across the entire AWS account," Douglas said.
Looking forward, the focus is on continuing to help IT teams do more with serverless, Stackery CEO Tim Zonca told ITPro Today.
"One of the things that we will be adding after this launch is more around helping teams quickly scale and better collaborate," Zonca said. "Another set of capabilities that we've been looking at is, how can we start to add intelligence to these automation kinds of pipelines."