So if you're watching the #Serverless-First Function you might have just seen this slide on measuring and comparing #security between a serverless app and a "Monstrous Monolith."

Did you know there are actually numbers you can calculate and measure? 1/

Take another look at this formula from two slides previous:

Let's break down each of this components. 2/

c = each function's computational complexity

This is essential or irreducible complexity as defined by T.J. McCabe all the way back in 1976. It's a positive integer, and you can calculate it. 3/

https://ieeexplore.ieee.org/document/1702388

d = each function's dependencies

This is also a positive integer (consider your main application to be the first dependency to eliminate multiply by zero reduction).

Import a library? +1

This is more challenging to compare *across* languages. 4/

r = total number of accessible resources

You guessed it - you can calculate this too. DynamoDB table? +1. S3 bucket? +1. On-premises API? +1. The important thing is that you are consistent in how you apply this for *your use case*. 5/

So now we can compare the two formulae. But what's the point? Not just to hate on monstrous monoliths, although they're awful relics and security nightmares and you should migrate away from them. Don't at me. 6/

Since I know you're gonna at me anyway, consider this.

Adding a dependency, a branching statement, or a resource to your monstrous monolith increases your risk on a **cubic** scale.

With your #serverless application that increase is linear. 7/

The point is to understand how *your* system is evolving from a #security perspective over time. Where can you apply your limited resources to gain the maximum risk reduction?

Don't guess the answer - calculate the answer! 8/8