serverless security: doing security in 100 milliseconds
TRANSCRIPT
![Page 1: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/1.jpg)
@W
ICK
ET
T
DOING SECURITY IN 100 MILLISECONDS
SERVERLESS SECURITY
![Page 2: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/2.jpg)
@WICKETT
JAMES WICKETT
๏ Head of Research at Signal Sciences
๏ Author at Lynda/LinkedIn Training for DevOps Fundamentals course releasing in November
๏ Blogger at theagileadmin.com and labs.signalsciences.com
![Page 3: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/3.jpg)
@WICKETT
DEVOPS ROADMAP FOR SECURITY
http://info.signalsciences.com/book
![Page 4: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/4.jpg)
@WICKETT
๏ Web App Firewall for modern workloads
๏ Cloud-native and devops friendly
๏ Answer the questions: Am I being attacked right now? Are attackers becoming successful?
๏ We are hiring (Golang, appsec, devops)
@WICKETT
![Page 5: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/5.jpg)
@WICKETT
![Page 6: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/6.jpg)
@WICKETT
![Page 7: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/7.jpg)
@WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
๏ New serverless patterns are just emerging
๏ Security with serverless is easier
๏ Security with serverless is harder
![Page 8: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/8.jpg)
@WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline Security
๏ Data Flow Security
๏ Attack Detection
![Page 9: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/9.jpg)
@WICKETT
WHAT IS SERVERLESS?
![Page 10: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/10.jpg)
@WICKETT
MISCONCEPTIONS
![Page 11: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/11.jpg)
@WICKETT
IT’S MARKETING (CLOUD REBRANDED)
![Page 12: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/12.jpg)
@WICKETT
SERVERLESS == NO SERVERS
![Page 13: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/13.jpg)
@WICKETT
SERVERLESS == CLOUD
![Page 14: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/14.jpg)
@WICKETT
SERVERLESS == BACKEND AS A
SERVICE
![Page 15: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/15.jpg)
@WICKETT
SERVERLESS == PLATFORM AS A
SERVICE
![Page 16: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/16.jpg)
@WICKETT
![Page 17: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/17.jpg)
@WICKETT
SO, WHAT IS SERVERLESS?
![Page 18: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/18.jpg)
@WICKETT http://martinfowler.com/articles/serverless.html
![Page 19: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/19.jpg)
@WICKETT
@MIKEBROBERTS
![Page 20: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/20.jpg)
@WICKETT
Serverless was first used to describe applications that significantly or fully
depend on 3rd party applications / services (‘in
the cloud’) to manage server-side logic and
state.
http://martinfowler.com/articles/serverless.html
![Page 21: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/21.jpg)
@WICKETT
Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is
run in stateless compute containers that are event-
triggered, ephemeral (may only last for one invocation), and fully
managed by a 3rd party.
http://martinfowler.com/articles/serverless.html
![Page 22: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/22.jpg)
@WICKETT
HISTORY OF SERVERLESS๏ 2012 - used to describe BaaS and Continuous Integration
services run by third parties
๏ Late 2014 - AWS launched Lambda
๏ July 2015 - AWS launched API Gateway
๏ October 2015 - AWS re:Invent - The Serverless company using AWS Lambda
๏ 2015 to present - Frameworks forming
๏ 2016 - Serverless Conference
http://www.slideshare.net/AmazonWebServices/arc308-the-serverless-company-using-aws-lambda
![Page 23: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/23.jpg)
@WICKETT
Client
Server
Database
Proxy/LB
ServerServer
![Page 24: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/24.jpg)
@WICKETT
Client
Auth Service API Gateway
Database Service
Function A
Function B
Web Delivery
![Page 25: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/25.jpg)
@WICKETT
![Page 26: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/26.jpg)
@WICKETT
WHAT CAN WE SAY IS SERVERLESS?
![Page 27: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/27.jpg)
@WICKETT
SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)
![Page 28: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/28.jpg)
@WICKETT
BUT, BUT…CONTAINERS!
![Page 29: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/29.jpg)
@WICKETT
CONTAINERS … ON DEMAND
![Page 30: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/30.jpg)
@WICKETT
SERVERLESS IS (NO MANAGEMENT OF)
SERVERS
![Page 31: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/31.jpg)
@WICKETT
SERVERLESS IS SERVICEFULL
![Page 32: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/32.jpg)
@WICKETT
SERVERLESS IS AN OPINIONATED FRAMEWORK
FOR COMPUTE
![Page 33: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/33.jpg)
@WICKETT
Serverless encourages functions as deploy units, coupled with third party
services that allow running end-to-end applications without worrying about
system operation.
![Page 34: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/34.jpg)
@WICKETT
A SHORT HISTORY OF CLOUD
![Page 35: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/35.jpg)
@WICKETT
VIRTUALIZATION
![Page 36: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/36.jpg)
@WICKETT
“THE CLOUD”
![Page 37: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/37.jpg)
@WICKETT
DEVOPS
![Page 38: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/38.jpg)
@WICKETT
SaaS PaaS IaaS
![Page 39: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/39.jpg)
@WICKETT
PRIVATE CLOUD
![Page 40: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/40.jpg)
@WICKETT
THEN, ALONG CAME CONTAINERS
![Page 41: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/41.jpg)
@WICKETT
CONTAINERS ARE TEH HAWTNESS
![Page 42: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/42.jpg)
@WICKETT
\
![Page 43: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/43.jpg)
@WICKETT
LOTS OF EFFORT IN CONTAINER
ORCHESTRATION
![Page 44: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/44.jpg)
@WICKETT
THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL
BE TO CONTAINERS
![Page 45: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/45.jpg)
@WICKETT
IF YOU WANT TO LEAD YOUR COMPANY BRAVELY INTO THE NEW WORLD, YOU WOULD DO WELL TO FOCUS LOT ON HOW
SERVERLESS WILL EVOLVE. - @CLOUDOPINION
https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
![Page 46: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/46.jpg)
@WICKETT
Serverless encourages functions as deploy units, coupled with third party
services that allow running end-to-end applications without worrying about
system operation.
![Page 47: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/47.jpg)
@WICKETT
SO, WHAT ARE THE UPSIDES?
![Page 48: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/48.jpg)
@WICKETT
SCALING BUILT IN
![Page 49: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/49.jpg)
@WICKETT
PAY FOR WHAT YOU USE IN 100MS INCREMENTS
![Page 50: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/50.jpg)
@WICKETT
WITH SERVERLESS SYSTEM ADMINISTRATION
IS (MOSTLY) LOWER
![Page 51: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/51.jpg)
@WICKETT
SERVERLESS IS IMPLICIT
MICROSERVICES
![Page 52: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/52.jpg)
@WICKETT
SHORT CIRCUITS OPS AND MOVES
INFRASTRUCTURE RUNTIME CLOSER TO
DEVS
![Page 53: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/53.jpg)
@WICKETT
YOU CAN SKIP CHEFFING DOCKERING
ALL THE THINGS!
![Page 54: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/54.jpg)
@WICKETT
LEAN STARTUP FRIENDLY
![Page 55: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/55.jpg)
@WICKETT
INCREASED VELOCITY
![Page 56: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/56.jpg)
@WICKETT
GREAT, WHAT’S THE CATCH?
![Page 57: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/57.jpg)
@WICKETT
OPS BURDEN TO RATIONALIZE
SERVERLESS MODEL (SPECIFICALLY DEPLOY)
![Page 58: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/58.jpg)
@WICKETT
MONITORING
![Page 59: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/59.jpg)
@WICKETT
LOGGING
![Page 60: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/60.jpg)
@WICKETT
STATELESS FOR REAL NO MEMORY PERSISTENCE
ACROSS FUNCTION RUNS
![Page 61: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/61.jpg)
@WICKETT
VENDOR LOCK-IN
![Page 62: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/62.jpg)
@WICKETT
SECURITY
![Page 63: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/63.jpg)
@WICKETT
RELIABILITY
![Page 64: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/64.jpg)
@WICKETT
![Page 65: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/65.jpg)
@WICKETT
SERVERLESS USE CASES
![Page 66: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/66.jpg)
@WICKETT
IMAGE RESIZING
![Page 67: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/67.jpg)
@WICKETT
QUEUE PROCESSING
http://martinfowler.com/articles/serverless.html
![Page 68: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/68.jpg)
@WICKETT
RUN A WEB APPLICATION
![Page 69: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/69.jpg)
@WICKETT
API GATEWAY
http://martinfowler.com/articles/serverless.html
![Page 70: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/70.jpg)
@WICKETT
CI/CD
![Page 71: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/71.jpg)
@WICKETT
LICENSING
![Page 72: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/72.jpg)
@WICKETT
SECURITY IS THE SAME AND DIFFERENT
![Page 73: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/73.jpg)
@WICKETT
EVERYTHING IS HTTP(S)
![Page 74: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/74.jpg)
@WICKETT
WHAT USED TO BE SYSTEM CALLS IS
NOW DISTRIBUTED COMPUTING OVER
THE NETWORK
![Page 75: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/75.jpg)
@WICKETT
SERVERLESS SHIFTS ATTACK SURFACE TO
THIRD PARTIES
![Page 76: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/76.jpg)
@WICKETT
LETS TRY A SAMPLE APPLICATION IN AWS
![Page 77: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/77.jpg)
@WICKETT
๏ Golang!
๏ AWS Lambda supports bring your own binary
๏ Sparta wraps your binary with node.js shim
![Page 78: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/78.jpg)
@WICKETT
![Page 79: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/79.jpg)
@WICKETT
OTHER OPTIONS
๏ Serverless Framework
๏ APEX
๏ Kappa
![Page 80: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/80.jpg)
@WICKETT
WORDY๏ Analyzes textual
occurrences given a block of text, returns JSON count of words
๏ Calls API under the hood to get text
๏ It is comprised of Lambda, s3, API Gateway
![Page 81: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/81.jpg)
@WICKETT
![Page 82: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/82.jpg)
@WICKETT
![Page 83: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/83.jpg)
@WICKETT
![Page 84: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/84.jpg)
@WICKETT
go run main.go provision -s S3_BUCKET
![Page 85: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/85.jpg)
@WICKETT
![Page 86: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/86.jpg)
@WICKETT
![Page 87: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/87.jpg)
@WICKETT
![Page 88: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/88.jpg)
@WICKETT
![Page 89: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/89.jpg)
@WICKETT
![Page 90: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/90.jpg)
@WICKETT
![Page 91: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/91.jpg)
@WICKETT
![Page 92: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/92.jpg)
@WICKETT
![Page 93: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/93.jpg)
@WICKETT
![Page 94: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/94.jpg)
@WICKETT
WHAT I LEARNED ABOUT SERVERLESS
SECURITY
![Page 95: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/95.jpg)
@WICKETT
![Page 96: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/96.jpg)
@WICKETT
FOUR AREAS OF SERVERLESS SECURITY
๏ Secure Software Supply Chain
๏ Delivery Pipeline
๏ Data Flow Security
๏ Attack Detection
![Page 97: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/97.jpg)
@WICKETT
![Page 98: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/98.jpg)
@WICKETT
SURFACE AREA REDUCTION!
![Page 99: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/99.jpg)
@WICKETT
SURFACE AREA EXPANSION!
![Page 100: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/100.jpg)
@WICKETT
SSL / TLS FROM THE PROVIDER
![Page 101: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/101.jpg)
@WICKETT
DNS!
![Page 102: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/102.jpg)
@WICKETT
LAMBDA + S3 + KINESIS + DYNAMODB + CLOUDFORMATION + API GATEWAY + AUTH0
![Page 103: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/103.jpg)
@WICKETT
USE A THIRD-PARTY SERVICE FOR CONFIG
CHANGES
![Page 104: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/104.jpg)
@WICKETT
ACCESS CONTROL
![Page 105: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/105.jpg)
@WICKETT
DELIVERY PIPELINE SECURITY
![Page 106: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/106.jpg)
@WICKETT
![Page 107: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/107.jpg)
@WICKETT
UNIT TESTING
![Page 108: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/108.jpg)
@WICKETT
![Page 109: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/109.jpg)
@WICKETT
INTEGRATION TESTING
![Page 110: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/110.jpg)
@WICKETT
CONFIGURATION IS PART OF DELIVERY
![Page 111: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/111.jpg)
@WICKETT
PROVIDER SECURITY
๏ Disable root access keys
๏ Manage users with profiles
๏ Secure your keys in your deploy system
๏ Secure keys in dev system
๏ Use provider MFA
![Page 112: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/112.jpg)
@WICKETT
SIMPLE DEPLOY PIPELINE SECURITY
๏ Only dev keys can push to ‘dev’
๏ Only build/deploy system can push to pre-prod
๏ Integration tests must pass in this env
๏ Security validation must take place
๏ Allow push to prod, only by deploy system
![Page 113: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/113.jpg)
@WICKETT
SECURITY INTEGRATION TESTING
๏ BDD-Security - github.com/continuumsecurity/bdd-security
๏ Gauntlt - gauntlt.org
![Page 114: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/114.jpg)
@WICKETT
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
![Page 115: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/115.jpg)
@WICKETT
DATA FLOW SECURITY
๏ Development
๏ Data Flow Diagrams
๏ Threat modeling
๏ Runtime
![Page 116: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/116.jpg)
@WICKETT
Application layer DoS
![Page 117: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/117.jpg)
@WICKETT
TIMEOUTS AND EXECUTION
RESTRICTIONS
![Page 118: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/118.jpg)
@WICKETT
HTTP / HTTPS
![Page 119: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/119.jpg)
@WICKETT
ATTACK DETECTION
![Page 120: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/120.jpg)
@WICKETT
DEVELOPMENT
๏ Normal OWASP tooling
๏ Language filtering and more
![Page 121: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/121.jpg)
@WICKETT
APPSEC PROBLEMS
![Page 122: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/122.jpg)
@WICKETT
DEFENSE
๏ Logging, emitting events
๏ Vandium (SQLi) wrapper
๏ Content Security Policy (CSP)
๏ More work needs to be done here…
![Page 123: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/123.jpg)
@WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
๏ New serverless patterns are just emerging
๏ Security with serverless is easier
๏ Security with serverless is harder
![Page 124: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/124.jpg)
@WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline Security
๏ Data Flow Security
๏ Attack Detection
![Page 125: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/125.jpg)
@WICKETT
![Page 126: Serverless Security: Doing Security in 100 milliseconds](https://reader035.vdocuments.us/reader035/viewer/2022062503/587b98da1a28ab4e4f8b6f49/html5/thumbnails/126.jpg)
@WICKETT
LET’S TALK!
๏ @wickett
๏ http://info.signalsciences.com/book