November 04, 2018
In early 2016 Yan Cybulski (Nuweba CTO & co-founder) sat down with me and explained how serverless is going to change the software world. We had previously worked together on extensive cyber security projects in Israeli intelligence and had become fascinated with high speed, large scale development platforms. I had come across serverless before but had never heard someone speak so passionately about it (or any other cloud service for that matter). For me, that was it - I was sold on the serverless revolution and Yan and I decided to take a deeper dive to explore the ins and outs of the serverless paradigm and ecosystem.
We started talking to dozens of companies to learn about their serverless use cases and what they thought was missing that would help them adopt serverless faster and for larger parts of their stack. Not surprisingly, we kept hearing the same story everywhere we went: the main inhibitors of serverless adoption are the lack of security, monitoring, and performance (specifically, cold start) solutions.
In particular, we saw companies who chose to use serverless without security out of fear that the security overhead would damage performance. On the flip side, we saw companies who sacrificed performance in the name of security (like running Lambdas in a VPC and adding input sanitization in a different Lambda). We realized that addressing security for serverless is where we could really make a difference. Yan and I kicked into high gear.
As more companies choose serverless as their preferred way to develop and run apps, the more the need for application-level security increases. Today we see that some companies use serverless for mission critical jobs and user facing applications. On the other hand, some trail blazing organizations are 100% serverless right from the start. In any event, it has become imperative to find a dedicated solution to secure the serverless application level against common attacks like remote code executions, injections (such as SQLi), authentication bypass, data leakage, XSS, and XXE.
We developed Nuweba because when it comes to serverless, there should be absolutely no compromise between security – first and foremost – and efficiency, visibility, and performance.
Having no control over the infrastructure and environment makes securing serverless challenging. The obvious solution would be to create a wrapper for the function which includes some security logic. However, wrappers, daemons, and shims are intrusive to user functions, they create overhead, and so performance deteriorates. Using wrappers increases the cost of serverless apps because functions are charged in 100ms increments and by the memory they use.
After thinking long and hard about it, we came to the conclusion that without access to the underlying infrastructure, any security solution would always be an unjustified compromise between security and usability.
There was only one way to go, and so Nuweba was born. The main rationale behind Nuweba is to allow organizations to enjoy the benefits of serverless (abstraction, agility, pricing model), while still maintaining control over the environment. We also completely understand the importance of being low-touch and seamless, and the need to secure all your functions without demanding pesky code or being intrusive to code. And by securing serverless, we are also able to offer you real-time deep visibility and operational insights into your serverless applications.
We’ve assembled a truly amazing team of security experts and highly skilled coders, and we couldn’t think of a better group to work with to make serverless fast and secure. All of us at Nuweba are excited to be part of this ecosystem and make serverless more complete as we push the frontiers of mainstream software development.
Join us in reaping the benefits of serverless without compromising security, efficiency, or performance.