Guy Podjarny from Snyk gave a presentation on securing serverless applications. He demonstrated vulnerabilities in a sample serverless app and how to fix them. The main security issues discussed were vulnerable dependencies, denial of service attacks from regular expression denial of service (ReDoS) vulnerabilities, secrets in code, granular permissions and functions, and immutable servers being reused. Podjarny emphasized testing for vulnerabilities, using key management systems, deploying narrowly-scoped functions, and monitoring functions over time.
2. InfoQ.com: News & Community Site
• Over 1,000,000 software developers, architects and CTOs read the site world-
wide every month
• 250,000 senior developers subscribe to our weekly newsletter
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• 2 dedicated podcast channels: The InfoQ Podcast, with a focus on
Architecture and The Engineering Culture Podcast, with a focus on building
• 96 deep dives on innovative topics packed as downloadable emags and
minibooks
• Over 40 new content items per week
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
serverless-security-2017
3. Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon San Francisco
www.qconsf.com
4. snyk.io
About Me
• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History:
• Cyber Security part of Israel Defense Forces
• First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan)
• Security: Worked in Sanctum -> Watchfire -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker
5. snyk.io
Serverless Security: The Theory
(talk from ServerlessConf)
https://www.youtube.com/watch?v=CiyUD_rI8D8
https://snyk.io/blog/serverless-security-implications-from-infra-to-owasp/
29. snyk.io
Serverless user is typically
Low Privilege
Reducing impact substantially, but not eliminating it
30. snyk.io
7. Worry about all functions
(Every available function increases your attack surface)
31. snyk.io
Security in Serverless
Vulnerabilities in your code
Vulnerable App Dependencies
Permissions
Securing Data at rest
Vulnerable OS Dependencies
Denial of Service
Long-lived Compromised
Servers
Third Party Services
Attack Surface
Security Monitoring
Better Neutral Worse
32. snyk.io
Serverless is defined now.
Let’s build Security in.
Thank You!
Guy Podjarny, Snyk
@guypod
Don’t forget:
OSS Security AMA
2:55pm, Waterfront CDE
33. Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
serverless-security-2017