Talk on serverless security with a brief history of cloud, containers and now serverless. This talk also features serverless patterns, and security considerations needed in this new environment. This talk was given at AppSecUSA 2016.
2. @WICKETT
JAMES WICKETT
๏ Head of Research at Signal
Sciences
๏ Author at Lynda/LinkedIn Training
for DevOps Fundamentals course
releasing in November
๏ Blogger at theagileadmin.com and
labs.signalsciences.com
4. @WICKETT
๏ Web App Firewall for modern workloads
๏ Cloud-native and devops friendly
๏ Answer the questions: Am I being attacked
right now? Are attackers becoming
successful?
๏ We are hiring (Golang, appsec, devops)
@WICKETT
7. @WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy
units, coupled with third party services
that allow running end-to-end applications
without worrying about system operation.
๏ New serverless patterns are just emerging
๏ Security with serverless is easier
๏ Security with serverless is harder
8. @WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline Security
๏ Data Flow Security
๏ Attack Detection
20. @WICKETT
Serverless was first used
to describe applications
that significantly or fully
depend on 3rd party
applications / services (‘in
the cloud’) to manage
server-side logic and
state.
http://martinfowler.com/articles/serverless.html
21. @WICKETT
Serverless can also mean
applications where some amount
of server-side logic is still written
by the application developer but
unlike traditional architectures is
run in stateless compute
containers that are event-
triggered, ephemeral (may only
last for one invocation), and fully
managed by a 3rd party.
http://martinfowler.com/articles/serverless.html
22. @WICKETT
HISTORY OF SERVERLESS
๏ 2012 - used to describe BaaS and Continuous Integration
services run by third parties
๏ Late 2014 - AWS launched Lambda
๏ July 2015 - AWS launched API Gateway
๏ October 2015 - AWS re:Invent - The Serverless company
using AWS Lambda
๏ 2015 to present - Frameworks forming
๏ 2016 - Serverless Conference
http://www.slideshare.net/AmazonWebServices/arc308-
the-serverless-company-using-aws-lambda
33. @WICKETT
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end applications
without worrying about
system operation.
45. @WICKETT
IF YOU WANT TO LEAD YOUR
COMPANY BRAVELY INTO THE
NEW WORLD, YOU WOULD DO
WELL TO FOCUS LOT ON HOW
SERVERLESS WILL EVOLVE.
- @CLOUDOPINION
https://medium.com/@cloud_opinion/the-pattern-may-
repeat-26de1e8b489d
46. @WICKETT
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end applications
without worrying about
system operation.
80. @WICKETT
WORDY
๏ Analyzes textual
occurrences given a block
of text, returns JSON
count of words
๏ Calls API under the hood
to get text
๏ It is comprised of
Lambda, s3, API Gateway
111. @WICKETT
PROVIDER SECURITY
๏ Disable root access keys
๏ Manage users with profiles
๏ Secure your keys in your deploy system
๏ Secure keys in dev system
๏ Use provider MFA
112. @WICKETT
SIMPLE DEPLOY
PIPELINE SECURITY
๏ Only dev keys can push to ‘dev’
๏ Only build/deploy system can push to pre-
prod
๏ Integration tests must pass in this env
๏ Security validation must take place
๏ Allow push to prod, only by deploy system
123. @WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy
units, coupled with third party services
that allow running end-to-end applications
without worrying about system operation.
๏ New serverless patterns are just emerging
๏ Security with serverless is easier
๏ Security with serverless is harder
124. @WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline Security
๏ Data Flow Security
๏ Attack Detection