Home            Blog

Sunday, May 28, 2017

An essential guide to the serverless ecosystem

Serverless computing is gaining momentum in the IT industry, and for good reason. Despite being a relatively new capability, it has captured the imagination of many technologists with the promise of delivering such benefits as shortened time to market, improved operational and security practices, and a revolutionary economic model based on pay-as-you-go pricing.
You may already understand the essentials of serverless architecture. But what does the overall serverless ecosystem look like, and what options do you have? In this guide I map it all out for you. I'll start with function as a service (FaaS), the linchpin of serverless computing, and expand into the cloud services used for building serverless architectures across major public and private cloud providers. From there I'll review the frameworks and tools you can use when building systems using a serverless stack. Finally, I'll draw the boundaries around "serverlessland" and show you where it lives in the overall world of cloud services.
The essential guide to serverless technologies and architectures

It all started with FaaS

Despite vendor claims that serverless computing was born long ago, it actually started with the arrival of FaaS. The preview release of AWS Lambda, announced in November 2014, put FaaS firmly on the cloud computing map. (Amazon promoted Lambda to general availability status in April 2015.)
Yes, it was possible to run applications without directly managing servers before FaaS, using Google App Engine, Heroku, AWS Elastic Beanstalk, and others. But those compute services never offered a function-oriented execution model or per-invocation billing. Instead, they usually provided elastic scalability for server- or application-oriented workloads.
After AWS arrived, the other big public cloud providers began working on their own FaaS platforms. Azure Functions was released in preview in March 2016 and became generally available the following November. The preview release of Google Functions was released in February 2016 and promoted to beta on March 2017. The date of general availability is still unknown. There are many other FaaS platforms out there as well. 

Why functions are not enough

While FaaS provides a way to execute arbitrary business logic using the function as a deployment and execution unit, by itself it’s not particularly powerful. The power of a serverless platform is only realized when you can integrate functions with many other services to build complete architectures.
Many people use the terms FaaS and serverless interchangeably, but there's an important distinction between the two concepts.
  • FaaS is a compute service that uses functions as the primary abstraction for deployment, scalability, execution, and billing. 
  • Serverless is a form of platform as a service (PaaS) that's ideal for event-driven, potentially volatile workloads. It combines FaaS with other cloud services to build complicated systems, while offering scalability, operability, integrated security, and pay-per-use billing.

Serverless platforms: The options

At the moment the most effective way to build serverless architectures is to pick one of the many serverless platforms on offer and take full advantage of all of its capabilities. Here are your choices:

Amazon Web Services

Amazon was the first major cloud provider to roll out FaaS capability, in the form of AWS Lambda.
The power of a serverless platform is determined to a substantial degree by the number and quality of capabilities you can leverage within it. On AWS, functions can be triggered by an increasing number of other services. These include notifications from S3 buckets, HTTP requests from API Gateway, record changes in DynamoDB tables, messages arriving on SNS topics, and Kinesis streams. Lately, AWS has placed more emphasis on FaaS as the primary, or even sole, compute service that integrates with many of the new services.
You can use AWS Lambda functions to power IoT back endsAlexa skills, conversational bots using Lex, and workflows with step functions. And the FaaS compute approach is being pushed into other execution environments, such as when using functions to augment the behavior of CloudFront, Amazon’s content delivery network, and even into IoT devices, with AWS Greengrass.
As with any other distributed system, building serverless architectures requires excellent support from IT operations. AWS Lambda integrates seamlessly with CloudWatch, the monitoring and logging service. Besides providing out-of-the-box log aggregation and metric collection, AWS CloudWatch lets you use Lambda functions to customize the operational capabilities of the platform.
Functions can be triggered by CloudWatch events (which can support scheduled function execution) and by CloudWatch log streams, and can react to CloudWatch metric alarms via a social network service.
Recently, X-Ray, a distributed tracing service, started supporting AWS Lambda (preview release) so that you can monitor and trace complex data flows. And AWS IAM, the identity and access control service, provides an integrated and fine-grained security model for function execution.

Microsoft Azure

Despite joining the serverless race quite a while after AWS, Azure is making steady progress toward becoming a competitive platform. At this point, Azure Functions can be triggered by Azure Storage blob notifications, HTTP (REST or webhook) requests, events from Azure Event Hubs, or messages from storage queues or service bus queues or topics, or the triggers can be based on a schedule.
Azure adopts a more structured configuration model for its functions. It allows input and output bindings to be attached to the function, greatly simplifying—or completely removing—the code required to integrate with other services from within the function itself. Contrast this with AWS, where the SDK must be used for any form of integration. Similarly, Azure enables a few external integrations out of the box. For example, you can send text messages via Twillio or email messages using SendGrid.
When it comes to operational support for the serverless platform, however, Azure falls a bit short of AWS. Monitoring metrics are only available when using the App Service plan, which requires running a function on virtual machines managed by the cloud tenant. Is that really serverless?
And if functions are executed on the provider-managed compute, no monitoring information is available. Instead, Azure provides a set of guidelines. Also, it defines security policies for functions implicitly, based on input and output bindings, rather than explicitly configuring them using a dedicated service, as with AWS.

Google Cloud Platform

Google has yet to make its Google Cloud Platform (GCP) FaaS capability generally available, but it already provides some of the same core integration capabilities as AWS and Azure. You can trigger Google Functions by Cloud Storage bucket notifications, HTTP requestsCloud Pub/Sub events, and a few types of Firebase events (Firebase is Google’s mobile-back-end-as-a-service platform).
Operationally, GCP provides well-integrated support for the functions in Google's Stackdriver monitoring service. As with AWS, logs emitted from Google Functions are automatically stored, in this case by Stackdriver. Logging and metrics are recorded by Stackdriver Monitoring, and GCP offers a Stackdriver Debugger that you can use to investigate the behavior of function’s code. That's quite helpful when troubleshooting. GCP’s security model is somewhat different from that of AWS, however, and it doesn't yet provide support for fine-grained security policies.

IBM Bluemix/OpenWhisk

IBM Bluemix is a PaaS offering that includes Apache OpenWhisk, an open-source FaaS/serverless platform with capabilities similar to offerings from the big three public cloud providers. Because OpenWhisk is an open-source project, you have complete visibility into the workings of the FaaS platform, and it's extensible and customizable. When running Bluemix, you can run OpenWhisk on your own infrastructure on-premises, in the cloud, or as a fully managed platform.
Functions (called "actions "in OpenWhisk) can be triggered by HTTP requests, messages from Apache Kafka or Message Hub topics, changes in Cloudant noSQL DB tables, scheduled events, or virtually any type of external system, provided an integration has been created for it.
From an IT operations point of view, OpenWhisk focuses mostly on the visual presentation of activities associated with function execution but also allows command-line interface-based polling for activity logs. Sadly, metrics, logging collection, and storage are not yet available, and the security model is not very well defined or documented. Developers may need to manage it explicitly, without a great deal of support from the platform.

Other FaaS platform choices

Many other products and projects are competing for a place in the serverless space. Some only offer FaaS capabilities (optionally with HTTP access to functions), while others provide a few other services, such as messaging or storage. Most started as BaaS providers and have rebranded themselves as serverless products. A few of note include: 
  • Iron.io, one of the most complete platforms in this group. It offers a FaaS product called IronWorker, as well as a distributed queue service (IronMQ) and cache service (IronCache).
  • PubNub, which allows for arbitrary code, called blocks, to execute within real-time messaging flows while it takes care of managing scalability of the compute stack.
  • Webtask.io, a mobile BaaS platform that you can use for running arbitrary code. It's packaged as "webtasks" and offers good support for creating Slack bots.
  • Hook.io, a similar product that offers its own key-value data store, as well as integrations with many cloud storage services.
  • You'll also find many open-source projects that provide FaaS abstraction on top of container schedulers. These include FunktionFissionKubelessFuncatron, and FaaS.

Frameworks and tools

While serverless platforms sounds great, they don't always offer the best developer experience. That's why it makes sense to create or use frameworks and tools. In fact, the serverless space is experiencing something like the Cambrian Explosion when it comes to available tool options. New offerings are emerging rapidly, and you have many choices.
The Serverless Framework (formerly JAWS), which offers integrations with all major platform providers, is the most popular option today. Others you might consider include Chalice (Python, AWS), Zappa (Python, AWS), ClaudiaJS (Node, AWS), Dawson (Node, AWS), Shep (Node, AWS), Sparta (Go, AWS), and Lambada Framework (Java, AWS).
Besides frameworks, you can find many tools that can help you build and deploy functions or serverless architectures. For example, you can use HashiCorp Terraform as an alternative to your provider's own infrastructure-provisioning capabilities (such as AWS CloudFormation). Other popular tools include ApexGordon, and Kappa.

Where serverless fits in the cloud computing landscape

Many technologies and products provided PaaS and BaaS capabilities before either FaaS or serverless became popular. You had lots of SaaS products offering anything that could possibly be consumed either as an end-user functionality or a third-party product that could be integrated into an application or a system.
These categories are still relevant now, even with FaaS and serverless entering the cloud computing landscape. To recap:
  • FaaS is a high-abstraction compute service where the service provider takes full control over managing compute resources, including the runtime process executing the code.
  • Serverless describes a specialized PaaS that combines FaaS for compute with other managed cloud services in order to create scalable architectures that are cost-effective to operate.
  • BaaS offers back-end capabilities to browsers or mobile apps. It can be delivered on top of the serverless stack, as well as on a container-as-a-service (CaaS), infrastructure-as-a-service (IaaS), or other technology stack.
  • SaaS just means any software-based system offered without the need to run it on your own infrastructure. SaaS systems can be built on any technology stack; what matters is how users consume it.
No doubt, the word serverless will be used to describe all of these other services, and that may confuse many people. But that’s okay, as long as in the end the IT industry experiences even greater innovation. Your businesses will certainly benefit from the increased business agility that comes from adopting serverless computing.

Thursday, May 25, 2017

10 HTTPS Implementation Mistakes

10 HTTPS Implementation Mistakes - SEMrush Study

Elena Terenteva
This post is in English
10 HTTPS Implementation Mistakes - SEMrush Study
Moving your website to HTTPS is a not a nice SEO bonus or prerogative of a big business, but it is a must for all kinds of websites. The volume of encrypted traffic is growing year after year and, according to Firefox telemetry, on January 29, 2017, half of all Internet traffic was secure, and that is a big deal.
The significance of this tipping point really can’t be overstated.
Ross Schulman, co-director of the New America Foundation’s cybersecurity initiative (Source).
If your website is still on the ‘dark side,’ you should reconsider your perception of encrypted traffic. In our previous article we talked about HTTPS’ influence and importance: it’s a heavy ranking signal, it’s a trust signal increasing  users’ credibility, and finally, it’s a guaranteed way to protect your website data from certain types of attacks.
Today we are going to talk about mistakes that can occur during HTTPS implementation and ways to fix and avoid them, so if you have already moved your website to HTTPS or are just thinking about it, this article will help you to avoid some of the most common pitfalls.
HTTPS Implementation mistakes

HTTPS Implementation with SEMrush

Is your website secure?

HTTPS implementation mistakes

All statistical data for this article was obtained during research conducted using the SEMrush Site Audit tool. We collected anonymous data on 100,000 websites in order to find out the frequency of  HTTPS Implementation mistakes. First of all, we should say that only 45% of the websites we analyzed support HTTPS and all data on the frequency of HTTS-related errors was collected during the analysis of those secure domains.
Google has very clearly specified HTTPS pitfalls which may occur and should be avoided. Now let’s take a closer look to each one and thoroughly examine ways that these errors can occur.  

Non-secure Pages with Password Inputs

Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure
Google Security Blog - Moving towards a more secure web
To identify the frequency of this error, we analyzed all 100,000 domains, because Google has strict requirements about ‘non-secure’ pages — any page that collects passwords should be encrypted. We hope that this initiative will facilitate the expansion of HTTPS. But for now, 9% of analyzed websites still have insecure pages a with password input.

Website Architecture Issues

Mixed Content

Mixed content occurs when your page is loading over secure HTTPS connections, but it contains elements (such as images, links, IFrames, scripts, etc.) that are not secured with HTTPS.
First of all, this may lead to security issues. Moreover, browsers will warn users about loading insecure content, and this may negatively affect user experience and reduce users’ confidence in your website.
And the extent of this problem is greater than you might think — 50% of websites have this problem. The thing is, manually evaluating this issue is very time-consuming — because one site can contain hundreds of pages, so this makes a mixed content error a real problem.

Internal Links on an HTTPS Site Leading to HTTP Pages

All internal website links, images, scripts, etc. should point to HTTPS versions. This is extremely important, especially if there are no redirects or HSTS implemented. Still, it is better to change links to their HTTPS version even if redirects are implemented. This is also one of the errors that can occur when moving a website to HTTPS. And, it seems like it’s the biggest problem, because it’s also time-consuming due to the amount of pages that need to be analyzed — for 50% of the websites we analyzed face this pitfall.

No Redirects or Canonicals to HTTPS URLs From HTTP Versions

When moving your site from HTTP to HTTPS, it is important to appropriately redirect canonical pages. This is important for several reasons — first, for supporting stable secure website experience, that is obvious. Second, not connected HTTP to HTTPS pages’ coexistence doesn't impede your SEO. Search engines are not able to figure out which page to index and which one to prioritize in search results. As a result, you may experience a lot of problems, including pages competing with each other, traffic loss and poor placement in search results.
Properly implemented redirects or canonicalization can improve a website's positions by combining all the signals.
This problem is not detrimental to websites using HSTS, because it is preventing web browser communication over HTTP, so we didn’t take them into account during our research. We have discovered that on 8% of the websites we analyzed (excluding ones supporting HSTS) HTTP home page is not corresponding to HTTPS version. And keep in mind, we are just talking about home pages here; can you imagine how many pages on the rest of these websites have not been properly redirected?

HTTP URLs in the sitemap.xml for HTTPS Site

Again, this mistake can easily occur when moving a website to HTTPS.
To prevent Google from incorrectly making the HTTP page canonical, you should avoid the following practices: including the HTTP page in your sitemap or hreflang entries rather than the HTTPS version.
Although this seems to be a clearly described requirement, 5.5% of websites have this mistake. When moving your website to HTTPS, you don’t need to create another HTTPS sitemap.xml file; just change the HTTPS protocol in the sitemap.
To learn how to properly migrate your site to HTTPS, check out this guide —  All you need to know for moving to HTTPS by Fili Wiese.  

Security Certificate Mistakes

Expired SSL Certificate

An SSL certificate (Secure Socket Layer certificate) is used to establish a secure connection between a server and a browser and to protect data on your website from being stolen. For some types of businesses that work with confidential data, like customers’ credit card and social security numbers, an expired SSL certificate brings the risk of credibility losses. Also, an expired certificate triggers a warning message for your users once they enter your website which will negatively affect your bounce rate. During our research, we found out that 2% of the analyzed websites have expired SSL certificates.

SSL Certificate Registered to an Incorrect Domain Name

This error occurs when the domain name to which your SSL certificate is issued doesn’t match the domain name displayed in the address bar.  This mismatch mistake appeared on 6% of the analyzed websites.
The higher frequency of this error, compared to the previous one, can be explained by the misconception that an SSL certificate issued only to the root domain (example.com) works for subdomains (info.example.com). This mistake can occur even if the certificate is installed correctly. For example, if a website’s SSL certificate is issued for www.example.com, entering example.com user will get to the website but receive an error notification.
This problem can be solved by using a Multi-Domain certificate, which allows you to use one certificate for multiple domain names or IP addresses. Note that unqualified names (www), local names (localhost), or private IP addresses violate the certificate's specification.

Server Issues

No HTTP Strict Transport Security (HSTS) Server Support

The HSTS protocol informs web browsers that they can communicate with servers only through secured HTTPS connections. Let’s say user typed in the address bar name of your website like  http://example.com, but HSTS instruct browser to use HTTPS version.
HSTS is a protection from downgrade attacks and cookie hijacking. This is a way to secure users from a man-in-the-middle attack.
A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate. HSTS does not allow a user to override the invalid certificate message 
86% of analyzed websites don’t support HSTS. And it’s no surprise — the technology is quite new and browsers have only started to maintain it quite recent. Hopefully, in the next year we'll see a different picture with positive trend.

Old Security Protocol Version (TLS 1.0 or older)

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which provide a secure connection between a website and browser, must be regularly updated to the new strong versions — 1.1 or higher. There's no discussion — this is a must. An outdated version of a protocol makes it very easy for rogues to steal your data. It’s one of the critical error, nonetheless it appears on 3,6% of the analyzed websites. This means that even companies that care about timely SSL certificate prolongation can forget about updating their protocol versions. So don’t forget to check your website’s current state.

No Server Name Indication (SNI) Support

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol, and it allows you to support multiple servers and host multiple certificates at the same IP address.
SNI usage solving the problem we talked about previously - SSL certificate registered to an incorrect domain name. Let’s say you added a new subdomain, entering it your user will get a warning about insecure connection, because SSL certificate is issued to the the different domain name. And it’s difficult, or better say impossible, to foresee all possible names. So here comes SNI, which will prevent occurrence of this error.
It’s not a strict requirement, which is probably why SNI-related errors were discovered on just 0.56% of the websites we analyzed.

About the SEMrush HTTPS Implementation Report

All the mistakes we've been discussing can be detected by the SEMrush HTTPS Implementation report — a new report available via the SEMrush Site Audit tool. We want to add couple words about the technical realization of this report and the way it can detect you all HTTPS pitfalls.
When detecting errors related to an expired SSL certificate, the SEMrush HTTPS Implementation report doesn't just show you the certificate's expired status, but the date it expired. Moreover, it can help prevent this problem by sending a notification about an upcoming certificate expiration.
certificate's expired status
If a certificate is registered to an incorrect domain name, the report will show the subdomain the certificate is issued for, which will help to quickly discover the problem.
Tanking about server-related issues: report, will provide full information about exact subdomain, which need an upgrade of security protocol (specifying the current version) or implementation of HSTS and SNI support.
Server related mistakes
Speaking of website-architecture-related issues, one the most interesting checks in the report about mixed content detected on a page. The report will find any type of the detected HTTP element, which we extract from tag element. It means that report is available to find and specify literally any insecure element. Considering how time-consuming can me mixed content exploration, this report will definitely become a great helper.
Mixed content
There is also a severity level mark for all errors, which will help you set priorities and work with the most dangerous issues first, then move on to the less important ones.
SEMrush Site Audit
So we can say that these newest implementations, plus the high crawling speed, the 50 additional on-page and technical SEO checks and the friendly interface make the SEMrush Site Audit tool one of the most powerful website auditors available on the market and definitely the best one among SEO suites.
So what do you think? Share your thought about our new report and let us know what HTTPS errors have given you the most trouble as well as how you overcame them.


Friday, May 19, 2017

Your Company Blog Is Still Just as (or More) Powerful Than Snapchat, Instagram and Facebook

Today, it can be easy to disregard something like blogging as un-sexy and outdated in terms of being a viable channel to market your business. Plus, with a new social media platform arising virtually every year, neglecting blogging is easier now than ever before.
Despite this, having an active, curated company blog is just as important today as it was 10 years ago (if not more important).
In this article, you will discover a handful of reasons why you should still blog even if you’re killing it on much newer, hipper social media platforms. You’ll also learn four strategies on how to maximize blog traffic and the influence of your blog.

Why You Should Still Write a Blog

1. Longer Lifespan of Content

For the most part, Instagram and Snapchat content doesn’t show up in Google’s search results. On top of that, the lifespan of a Snap is a mere 24 hours. On Instagram, posts are lucky to stay relevant longer than 13 hours.
The short life cycle of this social media content is certainly a double-edged sword: the fact platforms like Twitter, Instagram, and Snapchat are so real-time means they facilitate the fluid exchange of ideas and information. All this makes them timely and relevant, thus powerful tools.
On the flip side, it also makes content on the same platforms fleeting, causing it to be difficult for businesses to keep up with the “digital Joneses” when it comes to social media. It is in the best interest of these social media platforms to ask for more content. It is in the best interest of Google to ask for the best content.
By having a company blog, customers could potentially be reeled in years down the road, all with a single piece of high quality content.

2. Impact on SEO

Image Credit: VerticalResponse.com
Despite the amount of media attention given to Instagram, Snapchat, Facebook and company, you shouldn’t forget that there are approximately 3.5 billion Google searches conducted every single day.
Comparatively, Facebook sees an estimated 2 billion searches per day, and Pinterest approximately 2 billion searches per month. Instagram’s total monthly user count just recently reached one-fifth of Google’s number of daily searches, and Snapchat is even further behind.
It’s clear Google is still the world’s top search engine. In order to get the most out of Google, you should be taking SEO (search engine optimization) into close consideration. When it comes to SEO, writing quality blog posts is a terrific way for your company to climb up the search rankings.
The higher your SEO, the higher your probability of landing a client who stumbles across your work through Google in the future.

3. Ownership

Time and again, history has proven that the relevance of social media networks is a hard thing to predict. Just remember, Myspace was king from 2005 to 2008, Tumblr was popular from 2007 to 2013, and Vine was hottest from 2013 to 2015.
Instagram, Snapchat, Facebook, and the rest are all terrific platforms to use in order to garner the attention of your audience and to grow an audience, but using them as your company’s “home base” could prove unwise.
Blogs are much different. They are yours and only yours. No one else can take them away from you…well, except GoDaddy or Google Domains, but you get the point.

Successful Blogging Strategies

Now that you know a handful of reasons why blogging is still an indispensable marketing strategy, the real work begins. To help you, here are some tips and best practices to use to make sure your blog is getting the maximum exposure it deserves.

Leverage Platforms Like the One You’re Reading on Right Now — Medium ;)

It’s no surprise that today’s online landscape is saturated, and the blogosphere is no different. That’s why fresh platforms like Medium are such a valuable asset to have to increase the traffic and influence of your company blog.
Medium provides the perfect venue to showcase your own blog because it is (more or less) a blog in itself. It is a channel designed specifically for written content.
Additionally, Medium provides users with something they can’t automatically get from a standalone blog: a built-in audience of more than 30 million monthly users. Medium gives users the scale that would otherwise take years to build and nurture with a standalone blog.
Ready to get started? Here are some pointers:
  1. Read Quincy Larson’s article, which analyzes the best practices of the top 252 Medium articles in 2016.
  2. Use tools like Rabbut and Upscribe to seamlessly capture your reader’s emails, preferably after offering them a freebie (ebook, video course, etc.) in exchange for their email address.
  3. Use Medium to republish content from your company blog, and be sure to include a link to the original post so readers can stay in touch with you.
  4. Try your very best to get published on a large, relevant publication. To do this, reach out to the respective editor (via email or Twitter) with a link to your 100% completed article. Include a quick pitch going over why your content would be a great fit for the publication.

Don’t Be Afraid to Pay

Don’t be too shy to pay to promote your blog in the form of social media advertising (via Facebook ads, LinkedIn ads, and Twitter ad, etc.).
Social media moguls like Gary Vaynerchuk think Facebook advertising is single most valuable commodity in the online marketing world today, so it could definitely be worth your while to put some dollars behind the medium.
To get started, watch this short tutorial video covering how to create and manage Facebook Ads.

Use Quora

Neil Patel, digital marketing expert and founder of four multi-million dollar companies, preaches to his audience to search on Quora to discover which questions are being asked most often in your niche. You can find these questions in the Top FAQ section of the website.
After you find a question you like, write an answer to it in the form of a blog post. This will increase the likelihood others will search for and see the post, find it valuable, and come back for more.


You never can go wrong with networking, and tools like Meetup.com, Facebook Groups, and LinkedIn Groups make meeting like minded people easier now than ever before. Set aside an hour to search for groups and meetups in your niche.

If you enjoyed reading this post, please recommend and share it to help others find it!

Call to Action

If you really enjoyed this article and want to receive the shortened, PDF version of The 7 Mindset Shifts Needed for Successful Social Media Marketingthen click here to receive it now!