Security is a key concern, independent of the architecture of the application, and serverless is no exception. Since we are creating functions as services in the cloud, we need to take care in our authentication, authorization of execution, and the OWASP. However, in this context, the cloud provider—such as AWS or Azure—provides us with guides and practices out of the box, in order to minimize our concerns.

Another security concern to consider in serverless is the lack of a clearly shaped security perimeter. In other words, when the security perimeter of one of the functions ends and another starts, different cloud providers provide different ways to make those functions work as a whole; for example, AWS does this by using a service called an API Gateway. This API is used to orchestrate and compose the created FaaS. On the other hand, as is the case with everything that is ephemeral, many of these concerns may go away because the concept of ephemeral in FaaS is that the function will be created, run, and destroyed as many requests received on there are isolated each time that the FaaS is called.

To clarify any concerns, we will start to move some of our code to serverless/FaaS, creating an experimental development and incrementing when we feel more confident with the concept.