SlideShare a Scribd company logo

An OWASP SAMM Perspective on Serverless Computing

Denim Group
Denim Group

Serverless architectures enable organizations to build and deploy software and services without maintaining or provisioning any physical or virtual servers. They are an excellent choice for a wide range of services, and can scale elastically as cloud workloads grow, and as a result have become a popular architectural element for development teams. However, this new approach can have a significant impact on the security of systems, and many teams are not familiar with how to securely incorporate serverless elements into their architectures. Using the OWASP SAMM maturity model as a framework, this webinar walks through how teams adopting serverless computing can do so in a secure manner and consistent with their organization’s roadmap for maturing their application security posture.

1 of 36
Download to read offline
© 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. An OWASP SAMM Perspective on Serverless Computing February 20, 2019 Ory Segal | CTO PureSec Dan Cornell | CTO Denim Group
© 2019 Denim Group – All Rights Reserved Agenda • Introduction • Overview of Serverless Computing Security • Attack surfaces • Top risks • Limitations of traditional solutions • OWASP SAMM and Serverless • OWASP SAMM 1.5 overview • Integrating serverless security into OWASP SAMM • Questions 1
© 2019 Denim Group – All Rights Reserved Overview of Serverless Computing Security
© 2019 Denim Group – All Rights Reserved Compute as Utility
© 2019 Denim Group – All Rights Reserved Serverless Benefits No servers to manage Continuous scaling Sub-second metering { f(x) } Less security responsibilities
© 2019 Denim Group – All Rights Reserved Shared Model Of Responsibility CLOUD PROVIDER RESPONSIBLE FOR SECURITY “OF” THE CLOUD REGIONS AVAILABILITY ZONES EDGE LOCATIONS COMPUTE STORAGE DATABASE NETWORK OPERATING SYSTEM + VIRTUAL MACHINES + CONTAINERS APPLICATION OWNER RESPONSIBLE FOR SECURITY “IN” THE CLOUD APPLICATIONS (FUNCTIONS) IDENTITY & ACCESS MANAGEMENT CLOUD SERVICES CONFIGURATION CLIENT-SIDE DATA IN CLOUD DATA IN TRANSIT
© 2019 Denim Group – All Rights Reserved Security Responsibilities: IaaS vs. FaaS 6
© 2019 Denim Group – All Rights Reserved EVENT TRIGGER DEPLOY E V E N T S O U R C E S … INTERACTIONS REST API C L O U D R E S O U R C E S CODE CODE REPOSITORY EVENT SOURCES CLOUD RESOURCES OUTPUT SERVERLESS BASICS FUNCTION {;}
© 2019 Denim Group – All Rights Reserved EVENT SOURCES CLOUD RESOURCES EVENT-DATA INJECTION UNAUTHORIZED DEPLOYMENT DEPENDENCY POISONING TAMPER WITH DATA SERVERLESS ATTACK SURFACES COMPROMISE DATA BUSINESS LOGIC ABUSE BYPASS AUTHENTICATION LEAK SECRETS DENIAL OF SERVICE CODE EXECUTION ... CODE REPOSITORY FUNCTION {;}
© 2019 Denim Group – All Rights Reserved The Need For Serverless-Native Protection Protects applications by being deployed on networks and servers TRADITIONAL SECURITY The application owner doesn't have any control over the infrastructure SERVERLESS TRADITIONAL SECURITY SOLUTIONS HAVE BECOME UNSUITABLE
© 2019 Denim Group – All Rights Reserved INFRASTRUCTURE SERVERLESS FUNCTIONS W A F L A Y E R 7 N G - F W I N B O U N D W S G O U T B O U N D I P S N E T W O R K E P P B E H A V I O R A L A P P L I C A T I O N Traditional Protections Cannot Be Deployed On Serverless With No Infrastructure Based Protections, Your App Security is Reduced to Good Coding and Strict Configuration
© 2019 Denim Group – All Rights Reserved Top 12 Most Critical Risks for Serverless Applications 2019 • A collaborative effort between PureSec and the CSA • The most extensive work done on mapping the risks and mitigations for serverless applications • SAS-1: Function Event Data Injection • SAS-2: Broken Authentication • SAS-3: Insecure Serverless Deployment Configuration • SAS-4: Over-Privileged Function Permissions & Roles • SAS-5: Inadequate Function Monitoring and Logging • SAS-6: Insecure Third-Party Dependencies • SAS-7: Insecure Application Secrets Storage • SAS-8: Denial of Service & Financial Resource Exhaustion • SAS-9: Serverless Business Logic Manipulation • SAS-10: Improper Exception Handling and Verbose Error Messages • SAS-11: Obsolete Functions, Cloud Resources and Event Triggers • SAS-12: Cross-Execution Data Persistency http://bit.ly/csa-top-12
© 2019 Denim Group – All Rights Reserved PureSec Serverless Security Platform: End-to-End Protection for Serverless Controls the perimeter of each function in order to prevent malicious input from entering Serverless Application Firewall Controls the function behavior in order to ensure the function behaves as intended Adaptive, uses machine learning Analyzes each function to discover known vulnerabilities and misconfigurations Static analysis algorithms During CI/CD When Being Invoked During Execution Deep unparalleled visibility
© 2019 Denim Group – All Rights Reserved OWASP SAMM and Serverless
© 2019 Denim Group – All Rights Reserved OWASP SAMM 1.5 Overview • OWASP Flagship Project • “Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization” https://www.owasp.org/index.php/OWASP_SAMM_Project 14
© 2019 Denim Group – All Rights Reserved OWASP SAMM Structure 15
© 2019 Denim Group – All Rights Reserved Ranking Maturity 16
© 2019 Denim Group – All Rights Reserved Serverless and OWASP SAMM • Governance • Construction • Verification • Operations 17
© 2019 Denim Group – All Rights Reserved Serverless and Governance • Strategy & Metrics • Policy & Compliance • Education & Guidance 18
© 2019 Denim Group – All Rights Reserved Serverless: Strategy & Metrics • Understand that Serverless moves even more agency away from network/ops staff to developers • How do your current data classification and application risk-ranking methodologies translate to Serverless? • How do your established security metrics translate to a Serverless environment? 19
© 2019 Denim Group – All Rights Reserved Serverless: Policy & Compliance • Characterize which workloads and data are acceptable to be pushed to Serverless environments • Plan to characterize use of Serverless to auditors • Leverage platform tools to characterize compliance-critical concerns like IAM configurations 20
© 2019 Denim Group – All Rights Reserved Serverless: Education & Guidance • Provide reference architecture – with security controls – to teams adopting serverless • Environment- and language- specific secure coding guidelines for Serverless • Current training comes in the form of conference talks and blogs – less mature vs. other areas 21
© 2019 Denim Group – All Rights Reserved Serverless and Construction • Threat Assessment • Security Requirements • Secure Architecture 22
© 2019 Denim Group – All Rights Reserved Serverless: Threat Assessment • Enumerate likely attacks against Serverless portions of systems • Establish a threat model template for Serverless system components • Challenges for naive/unsophisticated attackers vs. web applications • Large VPCs – greater concerns about insider threats 23
© 2019 Denim Group – All Rights Reserved Serverless: Security Requirements • How does your current security requirements process translate to Serverless environments? • Build explicit access controls matrices for Serverless components of systems 24
© 2019 Denim Group – All Rights Reserved Serverless: Secure Architecture • Leverage a cloud reference architecture for Serverless components – with explicit security guidance • You have the ability to provide very fine- grained architectural security controls • Accounts, VPCs, private networks • You can also really mess things up 25
© 2019 Denim Group – All Rights Reserved Serverless and Verification • Design Review • Implementation Review • Security Testing 26
© 2019 Denim Group – All Rights Reserved Serverless: Design Review • Person leading this needs to be “smart” about a number of topics • Ensure that Serverless components are include in application attack surface reviews • Platform administration tools can help with this attack surface enumeration • Incorporate use of platform-specific security controls into review of Serverless components 27
© 2019 Denim Group – All Rights Reserved Serverless: Implementation Review • Adapt code review practices to work for Serverless components • Environment-specific • Language-specific • Adopt code review tools that are effective in Serverless environments 28
© 2019 Denim Group – All Rights Reserved Serverless: Security Testing • Adapt application testing practices to work for Serverless components • Environment-specific concerns • Adopt application testing tools that are effective in Serverless environments • Not a lot of great fuzzers at this point • There are decent configuration testing tools out there 29
© 2019 Denim Group – All Rights Reserved Serverless and Operations • Issue Management • Environment Hardening • Operational Enablement 30
© 2019 Denim Group – All Rights Reserved Serverless: Issue Management • Make sure issue and incident response plans include required access to Serverless components • Track metrics for Serverless involvement in incidents and compromise 31
© 2019 Denim Group – All Rights Reserved Serverless: Environment Hardening • Be happy that you no longer have to patch servers! • Provide platform-specific guidance to teams for hardening Serverless components • Automate hardening and verification into deployment and update process for Serverless environments • Leverage API gateways for rate-limiting and other controls 32
© 2019 Denim Group – All Rights Reserved Serverless: Operational Enablement • Likely a new set of people who need to be involved – more developers/DevOps • Incorporate Serverless logging into overall security monitoring practice • Integrate Serverless change management into overall application change management processes 33
© 2019 Denim Group – All Rights Reserved Questions
© 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. @denimgroup www.denimgroup.com 35 ory@puresec.io dan@denimgroup.com

Recommended

The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security and DevOps - Managing Security in a DevOps Enterprise
Security and DevOps - Managing Security in a DevOps EnterpriseSecurity and DevOps - Managing Security in a DevOps Enterprise
Security and DevOps - Managing Security in a DevOps Enterprise
Claudia Ring
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Mastering DevOps Automation: Webinar
Mastering DevOps Automation: WebinarMastering DevOps Automation: Webinar
Mastering DevOps Automation: Webinar
Claudia Ring
 
Multi-Cloud Load Balancing and Application Services
Multi-Cloud Load Balancing and Application ServicesMulti-Cloud Load Balancing and Application Services
Multi-Cloud Load Balancing and Application Services
Avi Networks
 
Hybrid Cloud DevOps with Apprenda and UrbanCode Deploy
Hybrid Cloud DevOps with Apprenda and UrbanCode DeployHybrid Cloud DevOps with Apprenda and UrbanCode Deploy
Hybrid Cloud DevOps with Apprenda and UrbanCode Deploy
Claudia Ring
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
Sanjeev Sharma
 

Recommended

The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security and DevOps - Managing Security in a DevOps Enterprise
Security and DevOps - Managing Security in a DevOps EnterpriseSecurity and DevOps - Managing Security in a DevOps Enterprise
Security and DevOps - Managing Security in a DevOps Enterprise
Claudia Ring
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Mastering DevOps Automation: Webinar
Mastering DevOps Automation: WebinarMastering DevOps Automation: Webinar
Mastering DevOps Automation: Webinar
Claudia Ring
 
Multi-Cloud Load Balancing and Application Services
Multi-Cloud Load Balancing and Application ServicesMulti-Cloud Load Balancing and Application Services
Multi-Cloud Load Balancing and Application Services
Avi Networks
 
Hybrid Cloud DevOps with Apprenda and UrbanCode Deploy
Hybrid Cloud DevOps with Apprenda and UrbanCode DeployHybrid Cloud DevOps with Apprenda and UrbanCode Deploy
Hybrid Cloud DevOps with Apprenda and UrbanCode Deploy
Claudia Ring
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
Sanjeev Sharma
 
Virtualization / Cloud / SDN
Virtualization / Cloud / SDNVirtualization / Cloud / SDN
Virtualization / Cloud / SDN
MarketingArrowECS_CZ
 
Metrics That Matter: How to Measure Digital Transformation Success
Metrics That Matter: How to Measure Digital Transformation SuccessMetrics That Matter: How to Measure Digital Transformation Success
Metrics That Matter: How to Measure Digital Transformation Success
XebiaLabs
 
S106 using ibm urban code deploy to deliver your apps to cics
S106 using ibm urban code deploy to deliver your apps to cicsS106 using ibm urban code deploy to deliver your apps to cics
S106 using ibm urban code deploy to deliver your apps to cics
nick_garrod
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scope
Sanjeev Sharma
 
Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...
Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...
Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...
Sanjeev Sharma
 
OTT for Mobile Devices
OTT for Mobile DevicesOTT for Mobile Devices
OTT for Mobile Devices
Jacob Greenblatt
 
The Muda, Mura and Muri of DevOps
The Muda, Mura and Muri of DevOpsThe Muda, Mura and Muri of DevOps
The Muda, Mura and Muri of DevOps
Sanjeev Sharma
 
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...
Avi Networks
 
Delivering Applications Continuously to Cloud
Delivering Applications Continuously to CloudDelivering Applications Continuously to Cloud
Delivering Applications Continuously to Cloud
IBM UrbanCode Products
 
From Apollo 13 to Google SRE
From Apollo 13 to Google SREFrom Apollo 13 to Google SRE
From Apollo 13 to Google SRE
Sanjeev Sharma
 
Microservices
MicroservicesMicroservices
Microservices
AxEdge Consulting
 
Oracle Cloud upcoming trends
Oracle Cloud upcoming trendsOracle Cloud upcoming trends
Oracle Cloud upcoming trends
aspiresystem
 
Cloud With DevOps Enabling Rapid Business Development
Cloud With DevOps Enabling Rapid Business DevelopmentCloud With DevOps Enabling Rapid Business Development
Cloud With DevOps Enabling Rapid Business Development
Sam Garforth
 
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM France Lab
 
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Avi Networks
 
My code, my environment, and yes, my data
My code, my environment, and yes, my dataMy code, my environment, and yes, my data
My code, my environment, and yes, my data
Sanjeev Sharma
 
Advanced Web Application Security with an Intelligent WAF
Advanced Web Application Security with an Intelligent WAFAdvanced Web Application Security with an Intelligent WAF
Advanced Web Application Security with an Intelligent WAF
Avi Networks
 
Unicorns on an Aircraft Carrier: CDSummit London and Stockholm Keynote
Unicorns on an Aircraft Carrier: CDSummit London and Stockholm KeynoteUnicorns on an Aircraft Carrier: CDSummit London and Stockholm Keynote
Unicorns on an Aircraft Carrier: CDSummit London and Stockholm Keynote
Sanjeev Sharma
 
Deep Automation and ML-Driven Analytics for Application Services
Deep Automation and ML-Driven Analytics for Application ServicesDeep Automation and ML-Driven Analytics for Application Services
Deep Automation and ML-Driven Analytics for Application Services
Avi Networks
 
Improving Software Delivery with DevOps & Software Defined Environments | The...
Improving Software Delivery with DevOps & Software Defined Environments | The...Improving Software Delivery with DevOps & Software Defined Environments | The...
Improving Software Delivery with DevOps & Software Defined Environments | The...
IBM UrbanCode Products
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 

More Related Content

What's hot

Virtualization / Cloud / SDN
Virtualization / Cloud / SDNVirtualization / Cloud / SDN
Virtualization / Cloud / SDN
MarketingArrowECS_CZ
 
Metrics That Matter: How to Measure Digital Transformation Success
Metrics That Matter: How to Measure Digital Transformation SuccessMetrics That Matter: How to Measure Digital Transformation Success
Metrics That Matter: How to Measure Digital Transformation Success
XebiaLabs
 
S106 using ibm urban code deploy to deliver your apps to cics
S106 using ibm urban code deploy to deliver your apps to cicsS106 using ibm urban code deploy to deliver your apps to cics
S106 using ibm urban code deploy to deliver your apps to cics
nick_garrod
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scope
Sanjeev Sharma
 
Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...
Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...
Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...
Sanjeev Sharma
 
OTT for Mobile Devices
OTT for Mobile DevicesOTT for Mobile Devices
OTT for Mobile Devices
Jacob Greenblatt
 
The Muda, Mura and Muri of DevOps
The Muda, Mura and Muri of DevOpsThe Muda, Mura and Muri of DevOps
The Muda, Mura and Muri of DevOps
Sanjeev Sharma
 
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...
Avi Networks
 
Delivering Applications Continuously to Cloud
Delivering Applications Continuously to CloudDelivering Applications Continuously to Cloud
Delivering Applications Continuously to Cloud
IBM UrbanCode Products
 
From Apollo 13 to Google SRE
From Apollo 13 to Google SREFrom Apollo 13 to Google SRE
From Apollo 13 to Google SRE
Sanjeev Sharma
 
Microservices
MicroservicesMicroservices
Microservices
AxEdge Consulting
 
Oracle Cloud upcoming trends
Oracle Cloud upcoming trendsOracle Cloud upcoming trends
Oracle Cloud upcoming trends
aspiresystem
 
Cloud With DevOps Enabling Rapid Business Development
Cloud With DevOps Enabling Rapid Business DevelopmentCloud With DevOps Enabling Rapid Business Development
Cloud With DevOps Enabling Rapid Business Development
Sam Garforth
 
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM France Lab
 
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Avi Networks
 
My code, my environment, and yes, my data
My code, my environment, and yes, my dataMy code, my environment, and yes, my data
My code, my environment, and yes, my data
Sanjeev Sharma
 
Advanced Web Application Security with an Intelligent WAF
Advanced Web Application Security with an Intelligent WAFAdvanced Web Application Security with an Intelligent WAF
Advanced Web Application Security with an Intelligent WAF
Avi Networks
 
Unicorns on an Aircraft Carrier: CDSummit London and Stockholm Keynote
Unicorns on an Aircraft Carrier: CDSummit London and Stockholm KeynoteUnicorns on an Aircraft Carrier: CDSummit London and Stockholm Keynote
Unicorns on an Aircraft Carrier: CDSummit London and Stockholm Keynote
Sanjeev Sharma
 
Deep Automation and ML-Driven Analytics for Application Services
Deep Automation and ML-Driven Analytics for Application ServicesDeep Automation and ML-Driven Analytics for Application Services
Deep Automation and ML-Driven Analytics for Application Services
Avi Networks
 
Improving Software Delivery with DevOps & Software Defined Environments | The...
Improving Software Delivery with DevOps & Software Defined Environments | The...Improving Software Delivery with DevOps & Software Defined Environments | The...
Improving Software Delivery with DevOps & Software Defined Environments | The...
IBM UrbanCode Products
 

What's hot (20)

Virtualization / Cloud / SDN
Virtualization / Cloud / SDNVirtualization / Cloud / SDN
Virtualization / Cloud / SDN
 
Metrics That Matter: How to Measure Digital Transformation Success
Metrics That Matter: How to Measure Digital Transformation SuccessMetrics That Matter: How to Measure Digital Transformation Success
Metrics That Matter: How to Measure Digital Transformation Success
 
S106 using ibm urban code deploy to deliver your apps to cics
S106 using ibm urban code deploy to deliver your apps to cicsS106 using ibm urban code deploy to deliver your apps to cics
S106 using ibm urban code deploy to deliver your apps to cics
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scope
 
Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...
Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...
Applying DevOps, PaaS and cloud for better citizen service outcomes - IBM Fe...
 
OTT for Mobile Devices
OTT for Mobile DevicesOTT for Mobile Devices
OTT for Mobile Devices
 
The Muda, Mura and Muri of DevOps
The Muda, Mura and Muri of DevOpsThe Muda, Mura and Muri of DevOps
The Muda, Mura and Muri of DevOps
 
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...
 
Delivering Applications Continuously to Cloud
Delivering Applications Continuously to CloudDelivering Applications Continuously to Cloud
Delivering Applications Continuously to Cloud
 
From Apollo 13 to Google SRE
From Apollo 13 to Google SREFrom Apollo 13 to Google SRE
From Apollo 13 to Google SRE
 
Microservices
MicroservicesMicroservices
Microservices
 
Oracle Cloud upcoming trends
Oracle Cloud upcoming trendsOracle Cloud upcoming trends
Oracle Cloud upcoming trends
 
Cloud With DevOps Enabling Rapid Business Development
Cloud With DevOps Enabling Rapid Business DevelopmentCloud With DevOps Enabling Rapid Business Development
Cloud With DevOps Enabling Rapid Business Development
 
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
 
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
 
My code, my environment, and yes, my data
My code, my environment, and yes, my dataMy code, my environment, and yes, my data
My code, my environment, and yes, my data
 
Advanced Web Application Security with an Intelligent WAF
Advanced Web Application Security with an Intelligent WAFAdvanced Web Application Security with an Intelligent WAF
Advanced Web Application Security with an Intelligent WAF
 
Unicorns on an Aircraft Carrier: CDSummit London and Stockholm Keynote
Unicorns on an Aircraft Carrier: CDSummit London and Stockholm KeynoteUnicorns on an Aircraft Carrier: CDSummit London and Stockholm Keynote
Unicorns on an Aircraft Carrier: CDSummit London and Stockholm Keynote
 
Deep Automation and ML-Driven Analytics for Application Services
Deep Automation and ML-Driven Analytics for Application ServicesDeep Automation and ML-Driven Analytics for Application Services
Deep Automation and ML-Driven Analytics for Application Services
 
Improving Software Delivery with DevOps & Software Defined Environments | The...
Improving Software Delivery with DevOps & Software Defined Environments | The...Improving Software Delivery with DevOps & Software Defined Environments | The...
Improving Software Delivery with DevOps & Software Defined Environments | The...
 

Similar to An OWASP SAMM Perspective on Serverless Computing

Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
Amazon Web Services
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
SBWebinars
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Amazon Web Services
 
So you want to provision a test environment...
So you want to provision a test environment...So you want to provision a test environment...
So you want to provision a test environment...
DevOps.com
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Amazon Web Services
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
Cobus Bernard
 

Similar to An OWASP SAMM Perspective on Serverless Computing (20)

Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
 
So you want to provision a test environment...
So you want to provision a test environment...So you want to provision a test environment...
So you want to provision a test environment...
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 

More from Denim Group (17)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 

An OWASP SAMM Perspective on Serverless Computing

  • 1. © 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. An OWASP SAMM Perspective on Serverless Computing February 20, 2019 Ory Segal | CTO PureSec Dan Cornell | CTO Denim Group
  • 2. © 2019 Denim Group – All Rights Reserved Agenda • Introduction • Overview of Serverless Computing Security • Attack surfaces • Top risks • Limitations of traditional solutions • OWASP SAMM and Serverless • OWASP SAMM 1.5 overview • Integrating serverless security into OWASP SAMM • Questions 1
  • 3. © 2019 Denim Group – All Rights Reserved Overview of Serverless Computing Security
  • 4. © 2019 Denim Group – All Rights Reserved Compute as Utility
  • 5. © 2019 Denim Group – All Rights Reserved Serverless Benefits No servers to manage Continuous scaling Sub-second metering { f(x) } Less security responsibilities
  • 6. © 2019 Denim Group – All Rights Reserved Shared Model Of Responsibility CLOUD PROVIDER RESPONSIBLE FOR SECURITY “OF” THE CLOUD REGIONS AVAILABILITY ZONES EDGE LOCATIONS COMPUTE STORAGE DATABASE NETWORK OPERATING SYSTEM + VIRTUAL MACHINES + CONTAINERS APPLICATION OWNER RESPONSIBLE FOR SECURITY “IN” THE CLOUD APPLICATIONS (FUNCTIONS) IDENTITY & ACCESS MANAGEMENT CLOUD SERVICES CONFIGURATION CLIENT-SIDE DATA IN CLOUD DATA IN TRANSIT
  • 7. © 2019 Denim Group – All Rights Reserved Security Responsibilities: IaaS vs. FaaS 6
  • 8. © 2019 Denim Group – All Rights Reserved EVENT TRIGGER DEPLOY E V E N T S O U R C E S … INTERACTIONS REST API C L O U D R E S O U R C E S CODE CODE REPOSITORY EVENT SOURCES CLOUD RESOURCES OUTPUT SERVERLESS BASICS FUNCTION {;}
  • 9. © 2019 Denim Group – All Rights Reserved EVENT SOURCES CLOUD RESOURCES EVENT-DATA INJECTION UNAUTHORIZED DEPLOYMENT DEPENDENCY POISONING TAMPER WITH DATA SERVERLESS ATTACK SURFACES COMPROMISE DATA BUSINESS LOGIC ABUSE BYPASS AUTHENTICATION LEAK SECRETS DENIAL OF SERVICE CODE EXECUTION ... CODE REPOSITORY FUNCTION {;}
  • 10. © 2019 Denim Group – All Rights Reserved The Need For Serverless-Native Protection Protects applications by being deployed on networks and servers TRADITIONAL SECURITY The application owner doesn't have any control over the infrastructure SERVERLESS TRADITIONAL SECURITY SOLUTIONS HAVE BECOME UNSUITABLE
  • 11. © 2019 Denim Group – All Rights Reserved INFRASTRUCTURE SERVERLESS FUNCTIONS W A F L A Y E R 7 N G - F W I N B O U N D W S G O U T B O U N D I P S N E T W O R K E P P B E H A V I O R A L A P P L I C A T I O N Traditional Protections Cannot Be Deployed On Serverless With No Infrastructure Based Protections, Your App Security is Reduced to Good Coding and Strict Configuration
  • 12. © 2019 Denim Group – All Rights Reserved Top 12 Most Critical Risks for Serverless Applications 2019 • A collaborative effort between PureSec and the CSA • The most extensive work done on mapping the risks and mitigations for serverless applications • SAS-1: Function Event Data Injection • SAS-2: Broken Authentication • SAS-3: Insecure Serverless Deployment Configuration • SAS-4: Over-Privileged Function Permissions & Roles • SAS-5: Inadequate Function Monitoring and Logging • SAS-6: Insecure Third-Party Dependencies • SAS-7: Insecure Application Secrets Storage • SAS-8: Denial of Service & Financial Resource Exhaustion • SAS-9: Serverless Business Logic Manipulation • SAS-10: Improper Exception Handling and Verbose Error Messages • SAS-11: Obsolete Functions, Cloud Resources and Event Triggers • SAS-12: Cross-Execution Data Persistency http://bit.ly/csa-top-12
  • 13. © 2019 Denim Group – All Rights Reserved PureSec Serverless Security Platform: End-to-End Protection for Serverless Controls the perimeter of each function in order to prevent malicious input from entering Serverless Application Firewall Controls the function behavior in order to ensure the function behaves as intended Adaptive, uses machine learning Analyzes each function to discover known vulnerabilities and misconfigurations Static analysis algorithms During CI/CD When Being Invoked During Execution Deep unparalleled visibility
  • 14. © 2019 Denim Group – All Rights Reserved OWASP SAMM and Serverless
  • 15. © 2019 Denim Group – All Rights Reserved OWASP SAMM 1.5 Overview • OWASP Flagship Project • “Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization” https://www.owasp.org/index.php/OWASP_SAMM_Project 14
  • 16. © 2019 Denim Group – All Rights Reserved OWASP SAMM Structure 15
  • 17. © 2019 Denim Group – All Rights Reserved Ranking Maturity 16
  • 18. © 2019 Denim Group – All Rights Reserved Serverless and OWASP SAMM • Governance • Construction • Verification • Operations 17
  • 19. © 2019 Denim Group – All Rights Reserved Serverless and Governance • Strategy & Metrics • Policy & Compliance • Education & Guidance 18
  • 20. © 2019 Denim Group – All Rights Reserved Serverless: Strategy & Metrics • Understand that Serverless moves even more agency away from network/ops staff to developers • How do your current data classification and application risk-ranking methodologies translate to Serverless? • How do your established security metrics translate to a Serverless environment? 19
  • 21. © 2019 Denim Group – All Rights Reserved Serverless: Policy & Compliance • Characterize which workloads and data are acceptable to be pushed to Serverless environments • Plan to characterize use of Serverless to auditors • Leverage platform tools to characterize compliance-critical concerns like IAM configurations 20
  • 22. © 2019 Denim Group – All Rights Reserved Serverless: Education & Guidance • Provide reference architecture – with security controls – to teams adopting serverless • Environment- and language- specific secure coding guidelines for Serverless • Current training comes in the form of conference talks and blogs – less mature vs. other areas 21
  • 23. © 2019 Denim Group – All Rights Reserved Serverless and Construction • Threat Assessment • Security Requirements • Secure Architecture 22
  • 24. © 2019 Denim Group – All Rights Reserved Serverless: Threat Assessment • Enumerate likely attacks against Serverless portions of systems • Establish a threat model template for Serverless system components • Challenges for naive/unsophisticated attackers vs. web applications • Large VPCs – greater concerns about insider threats 23
  • 25. © 2019 Denim Group – All Rights Reserved Serverless: Security Requirements • How does your current security requirements process translate to Serverless environments? • Build explicit access controls matrices for Serverless components of systems 24
  • 26. © 2019 Denim Group – All Rights Reserved Serverless: Secure Architecture • Leverage a cloud reference architecture for Serverless components – with explicit security guidance • You have the ability to provide very fine- grained architectural security controls • Accounts, VPCs, private networks • You can also really mess things up 25
  • 27. © 2019 Denim Group – All Rights Reserved Serverless and Verification • Design Review • Implementation Review • Security Testing 26
  • 28. © 2019 Denim Group – All Rights Reserved Serverless: Design Review • Person leading this needs to be “smart” about a number of topics • Ensure that Serverless components are include in application attack surface reviews • Platform administration tools can help with this attack surface enumeration • Incorporate use of platform-specific security controls into review of Serverless components 27
  • 29. © 2019 Denim Group – All Rights Reserved Serverless: Implementation Review • Adapt code review practices to work for Serverless components • Environment-specific • Language-specific • Adopt code review tools that are effective in Serverless environments 28
  • 30. © 2019 Denim Group – All Rights Reserved Serverless: Security Testing • Adapt application testing practices to work for Serverless components • Environment-specific concerns • Adopt application testing tools that are effective in Serverless environments • Not a lot of great fuzzers at this point • There are decent configuration testing tools out there 29
  • 31. © 2019 Denim Group – All Rights Reserved Serverless and Operations • Issue Management • Environment Hardening • Operational Enablement 30
  • 32. © 2019 Denim Group – All Rights Reserved Serverless: Issue Management • Make sure issue and incident response plans include required access to Serverless components • Track metrics for Serverless involvement in incidents and compromise 31
  • 33. © 2019 Denim Group – All Rights Reserved Serverless: Environment Hardening • Be happy that you no longer have to patch servers! • Provide platform-specific guidance to teams for hardening Serverless components • Automate hardening and verification into deployment and update process for Serverless environments • Leverage API gateways for rate-limiting and other controls 32
  • 34. © 2019 Denim Group – All Rights Reserved Serverless: Operational Enablement • Likely a new set of people who need to be involved – more developers/DevOps • Incorporate Serverless logging into overall security monitoring practice • Integrate Serverless change management into overall application change management processes 33
  • 35. © 2019 Denim Group – All Rights Reserved Questions
  • 36. © 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. @denimgroup www.denimgroup.com 35 ory@puresec.io dan@denimgroup.com