Successfully reported this slideshow.
Your SlideShare is downloading. ×

Serverless security - how to protect what you don't see?

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 22 Ad

Serverless security - how to protect what you don't see?

Download to read offline

Protecting serverless is a new topic. This presentation aims at showing what new security challenges it brings, and how CISO and security teams should approach it.
The serverless space evolves fast and there is no convergence on best practices yet. The switch to a serverless architecture involves several changes, for instance developers doing much more ops with serverless, deploying 20 times more services than previously...

Protecting serverless is a new topic. This presentation aims at showing what new security challenges it brings, and how CISO and security teams should approach it.
The serverless space evolves fast and there is no convergence on best practices yet. The switch to a serverless architecture involves several changes, for instance developers doing much more ops with serverless, deploying 20 times more services than previously...

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to Serverless security - how to protect what you don't see? (20)

Advertisement

Recently uploaded (20)

Advertisement

Serverless security - how to protect what you don't see?

  1. 1. Jean-Baptiste Aviat CTO & Co-founder Former (Red Team) Email: jb@sqreen.io Twitter: @jbaviat Podcast:
  2. 2. What is Serverless? And why is it different?
  3. 3. Business logic 100% written by developersDev Ops Code ⭐⭐⭐⭐⭐ Ops ⭐
  4. 4. Auth File upload Business service #1 Business service #2 Push service Async workers Dev Ops Code ⭐⭐⭐ Ops ⭐⭐⭐
  5. 5. Dev Ops Code ⭐ Ops ⭐⭐⭐
  6. 6. Dev Ops Dev Dev Ops Micro services Monolithic applications Serverless More code Less code Dev and ops distance Ops
  7. 7. Ad-hoc usage: easier to deploy Dynamically configure cloud elements, transform data on the go, comply to cloud vendors requirements. Teams use it to circumvent processes / CI / deploy. Native serverless applications Build applications designed for serverless infrastructures.
  8. 8. How does serverless impacts security?
  9. 9. Dev Sec Ops Dev Sec Ops Dev Sec Ops Serverless forces bridging dev, sec & ops Monolithic app Microservices Serverless
  10. 10. What “serverless” means is moving too fast Edge serverless, ad-hoc, infra Scale is different (1 monolithic app → 5 micro services → 100 serverless functions) No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for this scale and pace!) The space didn’t reach maturity yet: ● No commonly accepted best practices, but a broad variety of best practices ● Evolving fast
  11. 11. Monitoring Protection ❌ ❌
  12. 12. Scaling challenges 🤯: ● Developers do 20 ⨉ more ops ● 1 microservice = 20 ⨉ functions ● 20 ⨉ vulnerable dependencies? ● 20 ⨉ ownership tracking? ● 20 ⨉ threat modeling? ● 20 ⨉ faster new function appearance? New challenges 🚨: ● No way to visualize deployments ● Best practices still change rapidly ● Entrypoints vary widely (HTTP? Queue? Stream? Database?) ● Higher coupling to the cloud provider requires high cloud security Solved challenges ✅: ● System updates (unless Docker based!) ● Network level security (mTLS, …) ⨉
  13. 13. Serverless security: what can we do?
  14. 14. Use infrastructure as code (Terraform, Cloud Formation, …) Shift your infrastructure left ● With serverless, a part of the business logic is handled by the infrastructure ● Serverless app developers own both the code and a part of the infrastructure Use principle of least privilege for your lambdas (but with reasonable granularity!) Monitor your costs (and be ready to block abuses) * Network, encryption, mutual authentication is mostly ensured by proper cloud services usage. But is much simpler than for microservices*
  15. 15. Keep best practices Injections Vulnerable dependencies Lack of monitoring AuthN / AuthZ issues OWASP top 10 Scalability & coherency Design strong functions frameworks (CI, deployment, logging frameworks, …) NEW
  16. 16. New functions appear and disappear at a highest rate than ever Leverage developer’s tools as much as possible to: ● Monitor security controls are applied ● Monitor the permissions used ● Ensure production doesn’t drift vs IaC IaC / Terraform make it easy to inspect IaC / Terraform allows to apply static control (and break CI if needed) Cloud APIs allow to dynamically list and inspect running containers
  17. 17. ● Maintain the OWASP top 10 ● Adopt a strong cloud security posture ● Generalize principle of least privilege ● Generalize IaC (Terraform, ...) ● Leverage cloud APIs to automate controls and monitoring ● Monitor serverless cost ● Ensure coherency amongst functions deployments OWASP top 10 Cloud security posture Serverless cost monitoring Unified deployments
  18. 18. Use Serverless framework or Terraform ● With safe, relevant examples ● Coupled with CI Provide relevant & safe code examples ● Using ORM / validation / log / … ● Coupled with CI Prepare provisioning for: ● A working deployment ● CI job to deploy & run linting / static analysers Document how to deploy secrets Git repositories best practices: ● Mandatory pull requests ● Require a CODEOWNERS file ● Lock master
  19. 19. Complexity shifts to the infrastructure Serverless = different kind of ops - not no ops! Some risks occur 20 times more ● Serverless shifts complexity from application code to the infrastructure. ● Serverless doesn’t mean no ops but: ● Different kind of ops are done by different personas ● Ops are much simpler compared to microservices (mTLS, peer to peer, etc.) ● Some security risks occur more (20 times more!), some new ones appear, and a few ones disappear. ● Cloud security takes a much more important stance. ● Scaling development practices (CI, CD, frameworks, BoM) becomes a requirement Cloud security is more important than ever Scaling best practices becomes a necessity
  20. 20. CSA - The 12 Most Critical Risks for Serverless Applications OWASP top 10 OWASP serverless top 10 Serverless framework Terraform, CloudFormation CODEOWNERS (Github, Gitlab) AppSec Builders podcast Or get in touch / ask me directly: Email: jb@sqreen.io Twitter: @jbaviat Podcast:

×