The future may be serverless, but for now, commoditized infrastructure is making platform-as-a-service increasingly attractive for startups, enterprises and developer shops. Led by Amazon and Microsoft, vendors such as Salesforce, Google and Oracle are pitching platforms for every development style, architecture, language and use case. And cloud-native programming is even attractive on-premises: a desire for consistent processes and DevOps-style tools is driving Microsoft’s Azure Stack, which works seamlessly in hybrid deployments with various Azure platform services. There’s also a thriving community around Cloud Foundry, an open source PaaS that comes in commercial distros by Pivotal, HPE and IBM.

Open source is holistic
Though Amazon Web Services is usually top of mind for infrastructure, it’s slightly less sought-after on the platform side. Here, Microsoft Azure shines, thanks to years of developer tool expertise — and a well-documented ability to pivot toward any market it initially missed.

But before perusing Azure’s plethora of options, it’s worth taking a closer look at how San Francisco-based Pivotal runs its two core open source projects, Cloud Foundry and Spring Boot.

“Pivotal Cloud Foundry goes the whole way from embedded operating systems — so you don’t have to buy anything from Red Hat ever again, to cloud orchestration — so you don’t need Puppet and Chef, to middleware — so you don’t need IBM WebSphere or Oracle WebLogic, to load balancing and some API services, all the way up to cloud-native frameworks such as Spring Boot, which is the most popular Java framework for cloud apps in the world,” according to James Watters, senior vice president of product at Pivotal, in a January 2017 video interview with

As Watters sees it, Pivotal’s holistic vision is exemplified by its cloud-native apps consultancy, Pivotal Labs. Ford’s connected car service, for example, chose Cloud Foundry running on multiple clouds and partnered with Pivotal Labs to executing their apps.

To be sure, any of the current PaaS vendors, including IBM and HP, building off of Cloud Foundry are adding a plethora of features for orchestration, containers, DevOps, testing and management, not to mention more specialized features such as chat bots, AI, blockchain-as-a-service and functions-as-a-service. But one thing no PaaS user should take for granted is the potential for malicious activity.

Security is critical
“The cloud has made delivering software easier but has opened up a huge attack surface. We use AWS serverlessly to protect AWS,” said Matt Fuller, founder of CloudSploit, which provides open source and hosted automated security and configuration monitoring software for AWS cloud environments.

According to Fuller, “Even the most secure cloud providers only offers security of the cloud. The user is responsible for security in the cloud. As groups, roles, devices, etc. change, oversights and misconfigurations open vulnerabilities that lead to outright hacks or just a financial DDOS [distributed denial of service]. Unfortunately, a single misstep can compromise your entire infrastructure.”

CloudSploit monitors your AWS instance for anomalous activity with tests you choose or create. An open source project available at, security experts from around the world contribute to CloudSploit with the goal of increasing compliance with best practices, to protect the company infrastructure and their client’s information.

Even those who eschew specialized monitoring take confidence in the fact that a core benefit of PaaS is not having to patch the underlying frameworks and operating system. According to Omar Khan, Redmond-based general manager for Microsoft cloud app development and tools, “Developers spend a lot of time, especially in a DevOps world, making sure that the components that their code is running on are updated to avoid any vulnerabilities. PaaS eliminates a lot of that, because the patching is done automatically, and that’s a huge time savings.”

The shift to DevOps culture has also taken effect, Khan explained: “Cloud is enabling DevOps more and more. And we’re seeing developers bringing security into the lifecycle through ‘rugged DevOps’ or ‘shift-left’ of the scanning within the development process — not having to wait to do that stuff once in production.”

Low-code PaaS gains traction
As PaaS gains in popularity, the panoply of flavors increases. In addition to iPaaS (integration PaaS) and PaaS for testing and QA, there are low-code options available. In September 2016, Oracle launched Project Visual Code, a low-code platform for business users and developers to extend services and build new applications with little to no coding.

Low-code platforms are emerging around specific niches, such as UK-based Naqoda’s recently launched Core Banking Platform as well as its existing Tax Engine. The cloud-enabled system enables European open banking via the Payment Services Directive 2 (PSD2), which enables financial information sharing and APIs for new financial products.

QuickBase is a veteran player in the space and has been collecting metrics on low-code speed gains. Last fall, the company’s “2016 State of Citizen Development” report found that among respondents, a majority said they were able to deliver apps in less than a month. In contrast, for delivering traditional hand-coded apps, two-thirds of developers reported requiring over two months, and nearly one-third required over six.

For some, no-code is a game-changer: “Because all of our applications are produced on a no-code platform as a service, we are able to staff our team with individuals who are less experienced and/or less technical than traditional development shops,” said Treff LaPlante, CEO and founder of and WorkXpress in Harrisburg, PA.

“The results have been astounding. We have reduced the average hours to deliver a project from beginning to end to only 273. On this platform we have materially grown our business year over year and are now able to pursue new markets,” he said.

When PaaS isn’t the answer
Of course, PaaS isn’t a panacea. Kim Rowe, CEO and founder of Toronto-based RoweBots Ltd., does custom embedded and Internet of Things development with PaaS, but notes that embedded PaaS is weak in one way or another. Like any good coder, Rowe’s solution was to build his own PaaS. Unison RTOS tackles what he calls the seven key characteristics (lean, adaptable, secure, safe, connected, complete, and cloud) required to build quality embedded systems. Perhaps an eighth key is cost.

“For example, a concussion-detection system we created needs servers running in the cloud. Even if it may not be used for a significant portion of the time, we’re still charged for hosting. Figuring out cloud billing needs to be built into the design. It is one thing if it is a mine collecting data 24/7/365, and another if it is a ball team that uses the sensors two hours per day, four times per week during the school year,” Rowe said.

Adam Stern, founder and CEO of Infinitely Virtual, a cloud service provider, is not a fan of using PaaS to develop for external customers.

PaaS is ideal for companies writing applications that are specific to their business. PaaS makes it possible, even easy, to develop applications rapidly with little technical know-how — applications that aren’t intended to be sold but that run on a single, captive platform,” Stern said. “When it comes to creating an app for customers, however, it’s a different story. If the platform for which the app was written changes or ceases to exist, you’re stuck.”

The danger, as Stern sees it, is too much ease-of-use: “PaaS does tend to put internal development teams on the IT rollercoaster, forever investing and reinvesting in platform-specific application development.”

Finally, all that convenience doesn’t always come cheap, either in terms of  freedom or finances. “We like Amazon Web Services quite a bit, so let’s pick on them. Their DynamoDB (on-demand database) service is great, but after using it for a few months, it becomes quite an undertaking to port it to a different platform,” said Scott Williams, director of software at Tallwave.

“As Fred Brooks says, there are no silver bullets; PaaS systems do tend to be more expensive, and that cost can go up significantly. It’s easy to throw a switch, quadruple your processing capabilities for a spike, and then pass out when the invoice arrives,” Williams said.

Could Serverless be the next Docker?
In 2014, Amazon unveiled its Lambda functions, and since then there’s been a flurry of new serverless offerings.

Along with and Apex, there’s Serverless Inc., the company behind the actively managed MIT open-source project of the same name. All comprise a new ecosystem of tools to manage, version and test serverless functions, especially Lambda functions. And similar — but by no means identical — compute services are evolving, including Microsoft Azure Functions, IBM Bluemix OpenWhisk, and Google Cloud Functions. Finally, you know it’s a trend when a conference appears: On cue, check out Serverlessconf in Austin this year in April.

What all these serverless function tools have in common is the ability to execute standalone commands in languages such as JavaScript, Python, C#, or Java on cloud infrastructure, with pricing based requests, duration and memory. In his forthcoming book Serverless Architectures on AWS (Manning, in press), Peter Sbarski, VP of engineering at A Cloud Guru, defines five principles of serverless architectures:

  1. “Execute code on demand.”
  2. “Write single-purpose stateless functions.”
    3. “Design push-based, event-driven pipelines.”
    4. “Create thicker, more powerful front ends” and
  3. “Embrace third-party services.”

Indeed, Andreesen-Horowitz parter Peter Levine believes PaaS and the centralized mentality of the cloud will be supplanted by edge devices communicating with each other. That’s not inconceivable, according to Microsoft.

“Moving from a server-based deployment to a container-based deployment really increases agility around being able to update and deliver value faster. When you look at serverless, it continues that trend,” said Omar Khan, Redmond-based General Manager for Microsoft cloud app development and tools.

“Serverless enables you to architect code that is very much a microservices pattern by nature, because each function is its own thing. Serverless enables microservices at a smaller granularity than even containers, as an example.  And when you get more granular microservices, then you think, well, some of these microservices run in the cloud and that’s the right place for that code to execute, but why wouldn’t these microservices run at the edge as well? That’s a trend that is very interesting,” he said.