[yeukhon]

> 8. Greater flexibility leads to greater attack surface

I think this is critical. The fact that there aren't many battle-tested frameworks out there writing your own functions can introduce security bugs. But from my experience, most of the use of Serverless code are very backend, cronjob type of code, and aren't necessarily tied to any real applications. Remote execution is still possible though. I am not sure how many people out there run their website in API Gateway. I've read about one or two stories, but that's it.

Another thing is not security-related, but more with reliability. Serverless development poses challenge for performance monitoring.