SlideShare ist ein Scribd-Unternehmen logo

Serverless security - how to protect what you don't see?

Sqreen
Sqreen

Protecting serverless is a new topic. This presentation aims at showing what new security challenges it brings, and how CISO and security teams should approach it. The serverless space evolves fast and there is no convergence on best practices yet. The switch to a serverless architecture involves several changes, for instance developers doing much more ops with serverless, deploying 20 times more services than previously...

Software
1 von 22
Downloaden Sie, um offline zu lesen
Jean-Baptiste Aviat CTO & Co-founder Former (Red Team) Email: jb@sqreen.io Twitter: @jbaviat Podcast:
What is Serverless? And why is it different?
Business logic 100% written by developersDev Ops Code ⭐⭐⭐⭐⭐ Ops ⭐
Auth File upload Business service #1 Business service #2 Push service Async workers Dev Ops Code ⭐⭐⭐ Ops ⭐⭐⭐
Dev Ops Code ⭐ Ops ⭐⭐⭐
Dev Ops Dev Dev Ops Micro services Monolithic applications Serverless More code Less code Dev and ops distance Ops
Ad-hoc usage: easier to deploy Dynamically configure cloud elements, transform data on the go, comply to cloud vendors requirements. Teams use it to circumvent processes / CI / deploy. Native serverless applications Build applications designed for serverless infrastructures.
How does serverless impacts security?
Dev Sec Ops Dev Sec Ops Dev Sec Ops Serverless forces bridging dev, sec & ops Monolithic app Microservices Serverless
What “serverless” means is moving too fast Edge serverless, ad-hoc, infra Scale is different (1 monolithic app → 5 micro services → 100 serverless functions) No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for this scale and pace!) The space didn’t reach maturity yet: ● No commonly accepted best practices, but a broad variety of best practices ● Evolving fast
Monitoring Protection ❌ ❌
Scaling challenges 🤯: ● Developers do 20 ⨉ more ops ● 1 microservice = 20 ⨉ functions ● 20 ⨉ vulnerable dependencies? ● 20 ⨉ ownership tracking? ● 20 ⨉ threat modeling? ● 20 ⨉ faster new function appearance? New challenges 🚨: ● No way to visualize deployments ● Best practices still change rapidly ● Entrypoints vary widely (HTTP? Queue? Stream? Database?) ● Higher coupling to the cloud provider requires high cloud security Solved challenges ✅: ● System updates (unless Docker based!) ● Network level security (mTLS, …) ⨉
Serverless security: what can we do?
Use infrastructure as code (Terraform, Cloud Formation, …) Shift your infrastructure left ● With serverless, a part of the business logic is handled by the infrastructure ● Serverless app developers own both the code and a part of the infrastructure Use principle of least privilege for your lambdas (but with reasonable granularity!) Monitor your costs (and be ready to block abuses) * Network, encryption, mutual authentication is mostly ensured by proper cloud services usage. But is much simpler than for microservices*
Keep best practices Injections Vulnerable dependencies Lack of monitoring AuthN / AuthZ issues OWASP top 10 Scalability & coherency Design strong functions frameworks (CI, deployment, logging frameworks, …) NEW
New functions appear and disappear at a highest rate than ever Leverage developer’s tools as much as possible to: ● Monitor security controls are applied ● Monitor the permissions used ● Ensure production doesn’t drift vs IaC IaC / Terraform make it easy to inspect IaC / Terraform allows to apply static control (and break CI if needed) Cloud APIs allow to dynamically list and inspect running containers
● Maintain the OWASP top 10 ● Adopt a strong cloud security posture ● Generalize principle of least privilege ● Generalize IaC (Terraform, ...) ● Leverage cloud APIs to automate controls and monitoring ● Monitor serverless cost ● Ensure coherency amongst functions deployments OWASP top 10 Cloud security posture Serverless cost monitoring Unified deployments
Use Serverless framework or Terraform ● With safe, relevant examples ● Coupled with CI Provide relevant & safe code examples ● Using ORM / validation / log / … ● Coupled with CI Prepare provisioning for: ● A working deployment ● CI job to deploy & run linting / static analysers Document how to deploy secrets Git repositories best practices: ● Mandatory pull requests ● Require a CODEOWNERS file ● Lock master
Complexity shifts to the infrastructure Serverless = different kind of ops - not no ops! Some risks occur 20 times more ● Serverless shifts complexity from application code to the infrastructure. ● Serverless doesn’t mean no ops but: ● Different kind of ops are done by different personas ● Ops are much simpler compared to microservices (mTLS, peer to peer, etc.) ● Some security risks occur more (20 times more!), some new ones appear, and a few ones disappear. ● Cloud security takes a much more important stance. ● Scaling development practices (CI, CD, frameworks, BoM) becomes a requirement Cloud security is more important than ever Scaling best practices becomes a necessity
CSA - The 12 Most Critical Risks for Serverless Applications OWASP top 10 OWASP serverless top 10 Serverless framework Terraform, CloudFormation CODEOWNERS (Github, Gitlab) AppSec Builders podcast Or get in touch / ask me directly: Email: jb@sqreen.io Twitter: @jbaviat Podcast:

Empfohlen

Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityLibbySchulze
 
Securing your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory EnterpriseSecuring your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory EnterpriseDevOps.com
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool sangam biradar
 
Pragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationCloudVillage
 
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlFOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlStephane Jourdan
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceCloudVillage
 

Empfohlen

Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityLibbySchulze
 
Securing your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory EnterpriseSecuring your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory EnterpriseDevOps.com
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool sangam biradar
 
Pragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationCloudVillage
 
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlFOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlStephane Jourdan
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceCloudVillage
 
What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021Robert John
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementAddressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementEnterprise Management Associates
 
Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...
Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...
Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...sangam biradar
 
Microservices reativos usando a stack do Netflix na AWS
Microservices reativos usando a stack do Netflix na AWSMicroservices reativos usando a stack do Netflix na AWS
Microservices reativos usando a stack do Netflix na AWSDiego Pacheco
 
20170831 - Greg Palmier: Terraform & AWS at Tempus
20170831 - Greg Palmier: Terraform & AWS at Tempus20170831 - Greg Palmier: Terraform & AWS at Tempus
20170831 - Greg Palmier: Terraform & AWS at TempusDevOps Chicago
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoringJohn Varghese
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 
NetflixOSS: The Netflix Way
NetflixOSS: The Netflix WayNetflixOSS: The Netflix Way
NetflixOSS: The Netflix WayDiego Pacheco
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
SRE & Kubernetes
SRE & KubernetesSRE & Kubernetes
SRE & KubernetesAfkham Azeez
 
Docker + App Container = ocp
Docker + App Container = ocpDocker + App Container = ocp
Docker + App Container = ocpApcera
 
Spring Cloud Netflix OSS
Spring Cloud Netflix OSSSpring Cloud Netflix OSS
Spring Cloud Netflix OSSSteve Hall
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)DevOps.com
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To UsLacework
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogDevOps.com
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Sqreen
 
Docker Serverless
Docker ServerlessDocker Serverless
Docker ServerlessBrian Christner
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 

Weitere ähnliche Inhalte

Was ist angesagt?

What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021Robert John
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementAddressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementEnterprise Management Associates
 
Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...
Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...
Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...sangam biradar
 
Microservices reativos usando a stack do Netflix na AWS
Microservices reativos usando a stack do Netflix na AWSMicroservices reativos usando a stack do Netflix na AWS
Microservices reativos usando a stack do Netflix na AWSDiego Pacheco
 
20170831 - Greg Palmier: Terraform & AWS at Tempus
20170831 - Greg Palmier: Terraform & AWS at Tempus20170831 - Greg Palmier: Terraform & AWS at Tempus
20170831 - Greg Palmier: Terraform & AWS at TempusDevOps Chicago
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoringJohn Varghese
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 
NetflixOSS: The Netflix Way
NetflixOSS: The Netflix WayNetflixOSS: The Netflix Way
NetflixOSS: The Netflix WayDiego Pacheco
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
Docker + App Container = ocp
Docker + App Container = ocpDocker + App Container = ocp
Docker + App Container = ocpApcera
 
Spring Cloud Netflix OSS
Spring Cloud Netflix OSSSpring Cloud Netflix OSS
Spring Cloud Netflix OSSSteve Hall
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)DevOps.com
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To UsLacework
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogDevOps.com
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Sqreen
 

Was ist angesagt? (20)

What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementAddressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
 
Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...
Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...
Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...
 
Microservices reativos usando a stack do Netflix na AWS
Microservices reativos usando a stack do Netflix na AWSMicroservices reativos usando a stack do Netflix na AWS
Microservices reativos usando a stack do Netflix na AWS
 
20170831 - Greg Palmier: Terraform & AWS at Tempus
20170831 - Greg Palmier: Terraform & AWS at Tempus20170831 - Greg Palmier: Terraform & AWS at Tempus
20170831 - Greg Palmier: Terraform & AWS at Tempus
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoring
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
 
NetflixOSS: The Netflix Way
NetflixOSS: The Netflix WayNetflixOSS: The Netflix Way
NetflixOSS: The Netflix Way
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
SRE & Kubernetes
SRE & KubernetesSRE & Kubernetes
SRE & Kubernetes
 
Docker + App Container = ocp
Docker + App Container = ocpDocker + App Container = ocp
Docker + App Container = ocp
 
Spring Cloud Netflix OSS
Spring Cloud Netflix OSSSpring Cloud Netflix OSS
Spring Cloud Netflix OSS
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To Us
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with Datadog
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
 
Docker Serverless
Docker ServerlessDocker Serverless
Docker Serverless
 

Ähnlich wie Serverless security - how to protect what you don't see?

apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Measures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentFibonalabs
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
What serverless means for enterprise apps
What serverless means for enterprise appsWhat serverless means for enterprise apps
What serverless means for enterprise appsSumit Sarkar
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Automated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshAutomated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshCodefresh
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsStephane Woillez
 
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...apidays
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
Devops - Continuous delivery patterns with serverless stack
Devops - Continuous delivery patterns with serverless stackDevops - Continuous delivery patterns with serverless stack
Devops - Continuous delivery patterns with serverless stackcksiva09
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Trupti Shiralkar, CISSP
 
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupPreparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupYashrajNayak4
 
Serverless java
Serverless javaServerless java
Serverless javaVishwas N
 
Integration & Microservices
Integration & Microservices Integration & Microservices
Integration & Microservices Amr Salah
 
Putting the DOT in .NET - Dev/Ops/Test
Putting the DOT in .NET - Dev/Ops/TestPutting the DOT in .NET - Dev/Ops/Test
Putting the DOT in .NET - Dev/Ops/TestRobert MacLean
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice ArchitectureEngin Yoeyen
 

Ähnlich wie Serverless security - how to protect what you don't see? (20)

apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Measures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environment
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
What serverless means for enterprise apps
What serverless means for enterprise appsWhat serverless means for enterprise apps
What serverless means for enterprise apps
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Automated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshAutomated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on Codefresh
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and Operations
 
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
Devops - Continuous delivery patterns with serverless stack
Devops - Continuous delivery patterns with serverless stackDevops - Continuous delivery patterns with serverless stack
Devops - Continuous delivery patterns with serverless stack
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
 
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupPreparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
 
Serverless java
Serverless javaServerless java
Serverless java
 
56k.cloud training
56k.cloud training56k.cloud training
56k.cloud training
 
Integration & Microservices
Integration & Microservices Integration & Microservices
Integration & Microservices
 
Putting the DOT in .NET - Dev/Ops/Test
Putting the DOT in .NET - Dev/Ops/TestPutting the DOT in .NET - Dev/Ops/Test
Putting the DOT in .NET - Dev/Ops/Test
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice Architecture
 

Mehr von Sqreen

Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scaleSqreen
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extensionSqreen
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBSqreen
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Sqreen
 
Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationSqreen
 

Mehr von Sqreen (7)

Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scale
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extension
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDB
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing
 
Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous Integration
 

Kürzlich hochgeladen

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 

Kürzlich hochgeladen (20)

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 

Serverless security - how to protect what you don't see?

  • 1.
  • 2. Jean-Baptiste Aviat CTO & Co-founder Former (Red Team) Email: jb@sqreen.io Twitter: @jbaviat Podcast:
  • 3. What is Serverless? And why is it different?
  • 4. Business logic 100% written by developersDev Ops Code ⭐⭐⭐⭐⭐ Ops ⭐
  • 5. Auth File upload Business service #1 Business service #2 Push service Async workers Dev Ops Code ⭐⭐⭐ Ops ⭐⭐⭐
  • 8. Ad-hoc usage: easier to deploy Dynamically configure cloud elements, transform data on the go, comply to cloud vendors requirements. Teams use it to circumvent processes / CI / deploy. Native serverless applications Build applications designed for serverless infrastructures.
  • 9. How does serverless impacts security?
  • 10. Dev Sec Ops Dev Sec Ops Dev Sec Ops Serverless forces bridging dev, sec & ops Monolithic app Microservices Serverless
  • 11. What “serverless” means is moving too fast Edge serverless, ad-hoc, infra Scale is different (1 monolithic app → 5 micro services → 100 serverless functions) No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for this scale and pace!) The space didn’t reach maturity yet: ● No commonly accepted best practices, but a broad variety of best practices ● Evolving fast
  • 13. Scaling challenges 🤯: ● Developers do 20 ⨉ more ops ● 1 microservice = 20 ⨉ functions ● 20 ⨉ vulnerable dependencies? ● 20 ⨉ ownership tracking? ● 20 ⨉ threat modeling? ● 20 ⨉ faster new function appearance? New challenges 🚨: ● No way to visualize deployments ● Best practices still change rapidly ● Entrypoints vary widely (HTTP? Queue? Stream? Database?) ● Higher coupling to the cloud provider requires high cloud security Solved challenges ✅: ● System updates (unless Docker based!) ● Network level security (mTLS, …) ⨉
  • 15. Use infrastructure as code (Terraform, Cloud Formation, …) Shift your infrastructure left ● With serverless, a part of the business logic is handled by the infrastructure ● Serverless app developers own both the code and a part of the infrastructure Use principle of least privilege for your lambdas (but with reasonable granularity!) Monitor your costs (and be ready to block abuses) * Network, encryption, mutual authentication is mostly ensured by proper cloud services usage. But is much simpler than for microservices*
  • 16. Keep best practices Injections Vulnerable dependencies Lack of monitoring AuthN / AuthZ issues OWASP top 10 Scalability & coherency Design strong functions frameworks (CI, deployment, logging frameworks, …) NEW
  • 17. New functions appear and disappear at a highest rate than ever Leverage developer’s tools as much as possible to: ● Monitor security controls are applied ● Monitor the permissions used ● Ensure production doesn’t drift vs IaC IaC / Terraform make it easy to inspect IaC / Terraform allows to apply static control (and break CI if needed) Cloud APIs allow to dynamically list and inspect running containers
  • 18. ● Maintain the OWASP top 10 ● Adopt a strong cloud security posture ● Generalize principle of least privilege ● Generalize IaC (Terraform, ...) ● Leverage cloud APIs to automate controls and monitoring ● Monitor serverless cost ● Ensure coherency amongst functions deployments OWASP top 10 Cloud security posture Serverless cost monitoring Unified deployments
  • 19. Use Serverless framework or Terraform ● With safe, relevant examples ● Coupled with CI Provide relevant & safe code examples ● Using ORM / validation / log / … ● Coupled with CI Prepare provisioning for: ● A working deployment ● CI job to deploy & run linting / static analysers Document how to deploy secrets Git repositories best practices: ● Mandatory pull requests ● Require a CODEOWNERS file ● Lock master
  • 20. Complexity shifts to the infrastructure Serverless = different kind of ops - not no ops! Some risks occur 20 times more ● Serverless shifts complexity from application code to the infrastructure. ● Serverless doesn’t mean no ops but: ● Different kind of ops are done by different personas ● Ops are much simpler compared to microservices (mTLS, peer to peer, etc.) ● Some security risks occur more (20 times more!), some new ones appear, and a few ones disappear. ● Cloud security takes a much more important stance. ● Scaling development practices (CI, CD, frameworks, BoM) becomes a requirement Cloud security is more important than ever Scaling best practices becomes a necessity
  • 21.
  • 22. CSA - The 12 Most Critical Risks for Serverless Applications OWASP top 10 OWASP serverless top 10 Serverless framework Terraform, CloudFormation CODEOWNERS (Github, Gitlab) AppSec Builders podcast Or get in touch / ask me directly: Email: jb@sqreen.io Twitter: @jbaviat Podcast: