Driving Serverless Productivity: More Responsibility for Developers

There’s a balance to strike, but with the right tools and procedures in place, developers can be empowered to uphold high governance standards while achieving greater agility, cost-efficiency, and creativity in serverless environments.

4 Min Read
lights flashing by indicating speed
estherpoon via Adobe Stock

Serverless computing is booming, and it’s easy to understand why. At a basic level, it offers true elastic scalability without any of the hassle associated with provisioning infrastructure. 

By offloading resource allocation to the cloud service provider, a host of benefits can be realized. And they all come from new efficiencies -- meaning it’s goodbye to long-winded server management. Resources scale automatically in response to demand, cutting overprovisioning. As a result, application deployment requires fewer steps, meaning time to market is improved. Meanwhile, pay-per-use models more closely tie costs to business value.  

These benefits make serverless incredibly developer friendly. But while serverless can enable developers to move faster, it’s also incredibly important that companies remain well-managed. If you don’t have the right compliance checks and feedback loops, unsafe builds can quickly introduce instability. That’s why with any serverless operation a “shift left” approach to DevOps -- whereby testing, quality, and performance evaluation happen earlier in the development process -- is key. 

But how do you embrace this approach, without undermining all the efficiencies and speed gained by going serverless in the first place? 

Related:Let's Revisit Quality Assurance

Enhance and Guide the Developer Experience  

Striking the balance between speed and safety comes from two types of controls and their accompanying notification system. 

First, there are proactive controls, which prevent deployment of non-compliant resources by instilling best practices from the get-go. Second, detective controls, which identify violations that are already deployed, and then provide remediation steps. 

It’s important to recognize these controls must not be static. They need to evolve over time, just as your organization, processes, and production environments evolve. Think of them as checks that place more responsibility on developers to meet high standards, and also make it far easier for them to do so.  

Going further, a key -- and often overlooked -- part of any governance approach is its notification and supporting messaging system. As your policies mature over time, it is vitally important to have a sense of lineage. If we’re pushing for developers to take on more responsibility, and we’ve established that the controls are constantly evolving and changing, notifications cannot feel arbitrary or unsupported. Developers need to be able to understand the source of the standard driving the control and the symptoms of what they’re observing.  

Related:Soft Skills, Hard Code: The New Formula for Coding in the AI Era

Having a strong foundation of control IDs, descriptions, links to learning resources, and clear remediation action instructions not only drives workflow efficiency but also sets teams up for a reliable, swift, and constructive feedback loop that can nurture ongoing iterative improvements. 

Embracing the Right Tools 

We’ve established the principles of applying governance controls to empower developers in a serverless environment. But what about the tools themselves? The options available are vast. The following are just two examples that companies can use that highlight some core benefits a serverless approach can offer: 

  • Open Policy Agent (OPA) is a compliance rules engine that uses policies to detect non-compliant resources and take resulting actions. It’s open-source technology that doesn’t require coding, so you can easily describe the configurations that are out of compliance with your standards. For example, you may have a function that is missing tags, which is vitally important for cost allocation, security and identification of resources. OPA can notify that something needs remediating. 

  • AWS CloudFormation Guard (CFN Guard) is another open-source, general-purpose, policy-as-code evaluation tool. CFN Guard can be used preventively. It’s essentially a command line interface (CLI) binary that you put on your local developer machine, or within your CI/CD pipelines, which gives a pass, fail, or skip test when any resource is attempting to be committed. It prevents the resource from progressing unless it passes those policy requirements and places that responsibility squarely in the developer’s hands.  

Related:Is Open Source a Threat to National Security?

Building a Center of Excellence (COE) 

Beyond any single tool, at Capital One we’ve also launched a serverless center of excellence that brings together all of our best practices and standards for leveraging serverless at scale into a single place.  

Every line of our business -- from retail to enterprise and more -- feeds into it. It’s at the heart of our serverless strategy and helps us to set standards, influence tooling and policy decisions, prioritize critical activities, learn from one another, and reduce risks and siloed decision making. For larger enterprises in particular, a center of excellence, or similar initiative, is game-changing. It increases alignment, learning and agility as you implement your serverless approach.  

Step into the Serverless Future 

Serverless development is already redefining how we think about enterprise software development.  

It’s unlocking higher productivity while helping teams to focus on high value and fulfilling work. But adopting serverless places new responsibilities and higher expectations on developers. It’s up to leaders to ensure that developers feel supported and enabled to meet those new expectations. 

There’s a balance to strike, but with the right tools and procedures in place, developers can be empowered to actively uphold high governance standards while achieving far greater agility, cost-efficiency, and creativity in serverless environments. 

About the Authors

Sam Dengler

Sr. Distinguished Engineer, Capital One

Sam Dengler is a Sr. Distinguished Engineer at Capital One. Sam is one of Capital One's serverless-focused strategy leaders, and he works with engineering teams to design serverless, event-driven architectures using AWS services like AWS Lambda, AWS Step Functions, and Amazon EventBridge.

Brian McNamara

Distinguished Engineer, Capital One

Brian McNamara is a Distinguished Engineer at Capital One. He leads the Serverless Functions Community of Practice and is a staunch advocate of improving developer productivity and enabling observability in serverless applications. Brian actively works with teams across Capital One to improve the serverless experience.  

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights