Securing Serverless by Breaking in

•

0 likes•139 views

Guy Podjarny from Snyk gave a presentation on securing serverless applications. He demonstrated vulnerabilities in a sample serverless app and how to fix them. The main security issues discussed were vulnerable dependencies, denial of service attacks from regular expression denial of service (ReDoS) vulnerabilities, secrets in code, granular permissions and functions, and immutable servers being reused. Podjarny emphasized testing for vulnerabilities, using key management systems, deploying narrowly-scoped functions, and monitoring functions over time.

snyk.io
Securing Serverless -  
By Breaking In
Guy Podjarny, Snyk
@guypod

InfoQ.com: News & Community Site
• Over 1,000,000 software developers, architects and CTOs read the site world-
wide every month
• 250,000 senior developers subscribe to our weekly newsletter
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• 2 dedicated podcast channels: The InfoQ Podcast, with a focus on
Architecture and The Engineering Culture Podcast, with a focus on building
• 96 deep dives on innovative topics packed as downloadable emags and
minibooks
• Over 40 new content items per week
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
serverless-security-2017

Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon San Francisco
www.qconsf.com

snyk.io
About Me
• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History:
• Cyber Security part of Israel Defense Forces
• First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan)
• Security: Worked in Sanctum -> Watchﬁre -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker

snyk.io
Serverless Security: The Theory 
(talk from ServerlessConf)
https://www.youtube.com/watch?v=CiyUD_rI8D8
https://snyk.io/blog/serverless-security-implications-from-infra-to-owasp/

snyk.io
Agenda
• Show a demo serverless app
• Hack it
• Explain the security ﬂaws and how to ﬁx them
• Summary
• Q&A

snyk.io
Example: Fetch ﬁle & store in s3
(Serverless Framework Example)
19 Lines of Code
2 Direct dependencies
19 dependencies(incl. indirect)
191,155 Lines of Code

snyk.io
Serverless does secure 
OS dependencies
Just not app dependencies

snyk.io
1. Beware Vulnerable Libraries 
(test during dev, monitor over time)

snyk.io
Side Note: 
Snyk isn’t only for Serverless

snyk.io
2. ReDoS can still be costly 
(won’t take you down, but can hike up bill)

snyk.io
Beware 
Resource Exhaustion Attacks
Not all your services elastically scale

snyk.io
3. Avoid secrets in deployed code 
(env variables aren’t enough - Use a KMS!)

snyk.io
Serverless platforms oﬀer a 
Key Management System
Just use it!

snyk.io
4. Deploy granular functions 
(shared function code = greater exposure)

snyk.io
AWS Security Policy
Easier
Policy 3Policy 2
Policy 1
Safer

snyk.io
5. Use Granular Policies 
(only allow each function its minimum permissions)

snyk.io
A function is a perimeter
That needs to be secured
Perimeter Perimeter
Perimeter
Perimeter
Perimeter

snyk.io
6. Don’t rely on immutability 
(Lambda - and others - reuse servers)

snyk.io
Serverless user is typically 
Low Privilege
Reducing impact substantially, but not eliminating it

snyk.io
7. Worry about all functions 
(Every available function increases your attack surface)

snyk.io
Security in Serverless
Vulnerabilities in your code
Vulnerable App Dependencies
Permissions
Securing Data at rest
Vulnerable OS Dependencies
Denial of Service
Long-lived Compromised
Servers
Third Party Services
Attack Surface
Security Monitoring
Better Neutral Worse

snyk.io
Serverless is deﬁned now. 
Let’s build Security in.
Thank You!
Guy Podjarny, Snyk
@guypod
Don’t forget:  
OSS Security AMA 
2:55pm, Waterfront CDE

Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
serverless-security-2017

If you had to identify and remediate your entire infrastructure from something like Heartbleed, how long do you think it would take you today? In this presentation we will do this in about 15min. No matter how many servers we are using. We will take a look at “Chef Automate”. A product from Chef Inc. that helps us to build, deploy and manage our infrastructure and applications. It is also an awesome way to analyse the state of our infrastructure in terms of compliance and vulnerabilities. https://www.chef.io/automate/ Jürgen Brüder will introduce the Chef Automate to us, show us a demo where we will analyse and fix 0-day vulnerabilities on various servers and then talk to us about his experience with using this tool with actual customers.

Conf call ferrolterra 28 sept 2018

Domotica daVinci

Outpost24 webinar mastering container security in modern day dev ops

Outpost24

Demystifying Cloud Security Compliance

Mirantis

Microservice et identité

Leonard Moustacchis

OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...

Codemotion

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...

DevSecCon

In this talk we will talk about how to ensure the security and quality of the software we deploy on Kubernetes using open-source tools like Sigstore, Kyverno and Syft/Grype. We will explain what a secure supply chain is, why it is important and how to implement it with these tools. We will also show you how to generate and verify SBOMs (Software Bill of Materials) of your OCI (Open Container Initiative) artifacts. And finally, we will show you some practical examples of how to use these technologies in action. We hope you enjoy it and find it useful!

Full-Scale Elm in Production

C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2pWj8Ra. Richard Feldman introduces Elm, how it works, what differentiates it from the other front-end technologies, and gives practical advice for introducing it to an existing JavaScript codebase. Filmed at qconlondon.com. Richard Feldman works as a Software Engineer at Noredink. He is the author of “Elm in Action” from Manning Publications, and the instructor for the Frontend Masters 2-Day Elm Workshop.

AWS live hack: Atlassian + Snyk OSS on AWS

Eric Smalling

Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...

Chocolatey Software

Michel Buczynski, DevOps Coach at TD Securities: Most of the developments in FinTech are hybrid, they rely of both legacy and modern or more agile technologies. We will show how Chocolatey Business Edition can become the centerpiece of a CD pipeline. We will explain in detail how to integrate Chocolatey with Jenkins, Nexus, SaltStack to deploy micro-services both on legacy and cloud platform. We will show how the Chocolatey Agent (Self-Service Installer) with the help of Nexus repos, permit a secure continuous deployment of custom desktop applications on users' workstations and make the use of Citrix XenApp servers almost obsolete. Show how the Package Builder, Synchronizer, Downloader and Internalize simplify the day to day operation of developers.

Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...

Michel Buczynski

CHIPS Alliance_Object Automation Inc_workshop

Object Automation

The Hitchhiker's Guide to Serverless JavaScript

C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2pWcP0b. Steve Faulkner discusses Bustle's entire serverless stack. He talks about the good, the bad, and the ugly, sharing real numbers from production systems. Filmed at qconlondon.com. Steve Faulkner is the Director of Platform Engineering at Bustle, where he is championing all things "serverless". Previously he co-founded the streaming music startup Murfie.

Application Centric Microservices from Redhat Summit 2015

Ken Owens

When Cisco started envisioning the future of its application development platforms, the ability to create applications that are cloud-native with elastic services, network-aware application policies, and micro-services was strategic to the company. When the decision to build and operate a Cisco cloud service delivery platform for collaboration, video, and Internet of Things (IoT) application development was made, OpenStack and micro-services became central to our application architectures and strategic to our vision as a company. This presentation will look at the journey Cisco developers took to transform to an application-centric OpenStack platform for application development in a secure, network-centric, and completely open source manner. The importance of the platform being Red Hat Enterprise Linux OpenStack Platform and using OpenShift by Red Hat and the contribution to the community will be described. The micro-services architecture and service-oriented DevOps lessons learned for enabling massive scalable and continuous delivery of software will be presented and demoed.

DevOps intro

Abdelrhman Shawky

Build, Ship and Run Unikernels

C4Media

Enabling application portability with the greatest of ease!

Ken Owens

Securing Serverless - By Breaking In

Guy Podjarny

Cybersecurity model and top cloud security controls for product development e...

James DeLuccia IV

Here is the expanded presentation materials shared at the 2019 RSA Conference. This includes a breakout for the most important cloud security areas to maximize the long tail concept shared in the deck. The last 25 years have exposed old and new cybersecurity patterns. There is a primal draw to those hot and elite threat actors at the detriment of common security. This presentation will share a practical cybersecurity method employed for our 300+ deployed cloud subscriptions and hundreds of products. Learn how to focus those vital engineering hours where they will benefit your customers the best. Learning Objectives: 1: Learn how to balance your security requirements with product teams. 2: Understand what risks you need to include when in the minimum viable product world. 3: Learn how you can deliver products at scale in the world that meet industrial security requirements.

The Service Mesh: It's about Traffic

C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2mcpD5B. Oliver Gould talks about the Linkerd project, a service mesh hosted by the Cloud Native Computing Foundation, to give operators control over the traffic between their microservices. He shares the lessons they've learned helping dozens of organizations get to production with Linkerd and how they've applied these lessons to tackle complexity with Linkerd. Filmed at qconnewyork.com. Oliver Gould is co-founder and CTO at Buoyant, Inc.

Deep dive nella supply chain della nostra infrastruttura cloud

sparkfabrik

L'infrastruttura come codice e le applicazioni cloud-native consentono di raggiungere livelli senza precedenti di efficienza e governance dei nostri servizi cloud, rendendoci capaci di creare infrastrutture immutabili e ripetibili, di poterci operare come se fossero applicazioni quindi versionando il codice, qa e test automatici e procedure di rilascio automatiche verso gli ambienti di destinazione. Più inseriamo codice nelle nostre infrastrutture, più estendiamo la superficie di attacco. In questo talk, esaminerò gli attacchi alla catena di approvvigionamento a diversi livelli, come rilevarli e le tecniche per mitigarli e come scrivere codice IaC più sicuro.

Expedia's Journey toward Site Resiliency

C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2oAuPOe. Sahar Samiei and Willie Wheeler share Expedia’s resiliency journey, starting with resiliency as an afterthought and progressing toward resiliency as a first-class concern. They talk about the importance of partnering with the teams experiencing operational struggles, and equipping them with the data to make the right investments at the right time. Filmed at qconsf.com. Sahar Samiei is a Senior Product Manager leading the Site Reliability Program at Expedia. She has been with Expedia for eight years, working across different teams, focusing on operations. Willie Wheeler is a Principal Application Engineer at Expedia, with 20 years of professional software development experience. At Expedia he serves as a resiliency champion within the engineering organization.

Docker12 factor

John Zaccone

Journey to APIs and Microservices: Best Practices

Deepak Nadig

Agility is enabled by systems that are flexible and extensible. IEEE Standard Glossary of Software Engineering Technology defines Flexibility as the ease with which a system or component can be modified for use in applications or environments other than those for which it was specifically designed. and Extensibility as the ease with which a system or component can be modified to increase its functional capacity. As customer needs evolve, flexibility helps with composing features and applications rapidly from using API, and extensibility helps in introducing the required changes quickly by making changes in services. The challenge many companies have today is that they have built systems primarily as monoliths during a stage of their evolution, or have several services but they are tightly coupled. Satisfying a customer need even though the functionality already exists can take significant effort and cost. Companies are therefore moving to APIs and microservices to address this business imperative. While many initiate this journey, most of them don’t end up with the intended outcomes - they falter or fail and go through many iterations. This talk will share principles, best practices and approaches - across architecture, organizational and cultural - that have been applied in transforming companies such as eBay, PayPal and Intuit to APIs and Microservices.

Netflix: From Zero to Production-Ready in Minutes (QCon 2017)

Tim Bozarth

Slides from Tim Bozarth's (@timbozarth) QCon 2017 presentation (https://qconnewyork.com/ny2017/presentation/zero-production-ready-minutes) Abstract: The fabric of Netflix's approach to building new highly-available services is evolving. The Runtime Platform Team is focused on improving developer productivity while simultaneously making it simpler to build and maintain the high-availability services that Netflix expects. Starting with application generation, and leveraging a new approach to communication between services (RPC), we're simplifying what's needed to build a fast, reliable, and optimized service capable of delivering a fantastic customer experience. We'll be sharing how Netflix is enabling engineers to go from "zero" to "production ready" in minutes - incorporating best-practices learned through years in the cloud. We will also share the story of transitioning from our home-grown RPC machinery to open-source standards, how we recognized when it was the right time to walk away from our own creations, and how our new approach is improving team velocity across Netflix engineering.

Streaming a Million Likes/Second: Real-Time Interactions on Live Video

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/39NIjLV. Akhilesh Gupta does a technical deep-dive into how Linkedin uses the Play/Akka Framework and a scalable distributed system to enable live interactions like likes/comments at massive scale at extremely low costs across multiple data centers. Filmed at qconlondon.com. Akhilesh Gupta is the technical lead for LinkedIn's Real-time delivery infrastructure and LinkedIn Messaging. He has been working on the revamp of LinkedIn’s offerings to instant, real-time experiences. Before this, he was the head of engineering for the Ride Experience program at Uber Technologies in San Francisco.

Next Generation Client APIs in Envoy Mobile

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2x0Fav8. Jose Nino guides the audience through the journey of Mobile APIs at Lyft. He focuses on how the team has reaped the benefits of API generation to experiment with the network transport layer. He also discusses recent developments the team has made with Envoy Mobile and the roadmap ahead. Filmed at qconlondon.com. Jose Nino works as a Software Engineer at Lyft.

Similar to Securing Serverless by Breaking in

AWS live hack: Docker + Snyk Container on AWS

Eric Smalling

KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes

sparkfabrik

Full-Scale Elm in Production

C4Media

AWS live hack: Atlassian + Snyk OSS on AWS

Eric Smalling

Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...

Chocolatey Software

Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...

Michel Buczynski

CHIPS Alliance_Object Automation Inc_workshop

Object Automation

The Hitchhiker's Guide to Serverless JavaScript

C4Media

Application Centric Microservices from Redhat Summit 2015

Ken Owens

DevOps intro

Abdelrhman Shawky

Build, Ship and Run Unikernels

C4Media

Enabling application portability with the greatest of ease!

Ken Owens

Securing Serverless - By Breaking In

Guy Podjarny

Cybersecurity model and top cloud security controls for product development e...

James DeLuccia IV

The Service Mesh: It's about Traffic

C4Media

Deep dive nella supply chain della nostra infrastruttura cloud

sparkfabrik

Expedia's Journey toward Site Resiliency

C4Media

Docker12 factor

John Zaccone

Journey to APIs and Microservices: Best Practices

Deepak Nadig

Netflix: From Zero to Production-Ready in Minutes (QCon 2017)

Tim Bozarth

Similar to Securing Serverless by Breaking in (20)

AWS live hack: Docker + Snyk Container on AWS

KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes

Full-Scale Elm in Production

AWS live hack: Atlassian + Snyk OSS on AWS

Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...

CHIPS Alliance_Object Automation Inc_workshop

The Hitchhiker's Guide to Serverless JavaScript

Application Centric Microservices from Redhat Summit 2015

DevOps intro

Build, Ship and Run Unikernels

Enabling application portability with the greatest of ease!

Securing Serverless - By Breaking In

Cybersecurity model and top cloud security controls for product development e...

The Service Mesh: It's about Traffic

Deep dive nella supply chain della nostra infrastruttura cloud

Expedia's Journey toward Site Resiliency

Docker12 factor

Journey to APIs and Microservices: Best Practices

Netflix: From Zero to Production-Ready in Minutes (QCon 2017)

More from C4Media

Streaming a Million Likes/Second: Real-Time Interactions on Live Video

C4Media

Next Generation Client APIs in Envoy Mobile

C4Media

Software Teams and Teamwork Trends Report Q1 2020

C4Media

How do we cope with an environment that has been radically disrupted, where people are suddenly thrust into remote work in a chaotic state? What are the emerging good practices and new ideas that are shaping the way in which software development teams work? What can we do to make the workplace a more secure and diverse one while increasing the productivity of our teams? This report aims to assist technical leaders in making mid- to long-term decisions that will have a positive impact on their organisations and teams and help individual contributors find the practices, approaches, tools, techniques, and frameworks that can help them get a better experience at work - irrespective of where they are working from.

Understand the Trade-offs Using Compilers for Java Applications

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2QCmmJ0. Mark Stoodley examines some of the strengths and weaknesses of the different Java compilation technologies, if one was to apply them in isolation. Stoodley discusses how production JVMs are assembling a combination of these tools that work together to provide excellent performance across the large spectrum of applications written in Java and JVM based languages. Filmed at qconsf.com. Mark Stoodley joined IBM Canada to build Java JIT compilers for production use and led the team that delivered AOT compilation in the IBM SDK for Java 6. He spent the last five years leading the effort to open source nearly 4.3 million lines of source code from the IBM J9 Java Virtual Machine to create the two open source projects Eclipse OMR and Eclipse OpenJ9, and now co-leads both projects.

Kafka Needs No Keeper

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2y2yPiS. Colin McCabe talks about the ongoing effort to replace the use of Zookeeper in Kafka: why they want to do it and how it will work. He discusses the limitations they have found and how Kafka benefits both in terms of stability and scalability by bringing consensus in house. He talks about their progress, what work is remaining, and how contributors can help. Filmed at qconsf.com. Colin McCabe is a Kafka committer at Confluent, working on the scalability and extensibility of Kafka. Previously, he worked on the Hadoop Distributed Filesystem and the Ceph Filesystem.

High Performing Teams Act Like Owners

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2SXXXiD. Katharina Probst talks about what it means to act like an owner and why teams need ownership to be high-performing. When team members, regardless of whether they have a formal leadership role or not, act like owners, magical things can happen. She shares ideas that we can apply to our own work, and talks about how to recognize when we don’t live up to our own expectations of acting like an owner. Filmed at qconsf.com. Katharina Probst is a Senior Engineering Leader, Kubernetes & SaaS at Google. Before this, she was leading engineering teams at Netflix, being responsible for the Netflix API, which helps bring Netflix streaming to millions of people around the world. Prior to joining Netflix, she was in the cloud computing team at Google, where she saw cloud computing from the provider side.

Does Java Need Inline Types? What Project Valhalla Can Bring to Java

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2T04Lw4. Sergey Kuksenko talks about the performance benefits inline types bring to Java and how to exploit them. Inline/value types are the key part of experimental project Valhalla, which should bring new abilities to the Java language. Filmed at qconsf.com. Sergey Kuksenko is a Java Performance Engineer at Oracle working on a variety of Java and JVM performance enhancements. He started working as Java Engineer in 1996 and as Java Performance Engineer in 2005. He has had a passion for exploring how Java works on modern hardware.

Service Meshes- The Ultimate Guide

C4Media

Do you need service meshes in your tech stack? This on-line guide aims to answer pertinent questions for software architects and technical leaders, such as: what is a service mesh?, do I need a service mesh?, how do I evaluate the different service mesh offerings? In software architecture, a service mesh is a dedicated infrastructure layer for facilitating service-to-service communications between microservices, often using a sidecar proxy.

Shifting Left with Cloud Native CI/CD

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2UgQ3BU. Christie Wilson describes what to expect from CI/CD in 2019, and how Tekton is helping bring that to as many tools as possible, such as Jenkins X and Prow. Wilson talks about Tekton itself and performs a live demo that shows how cloud native CI/CD can help debug, surface and fix mistakes faster. Filmed at qconsf.com. Christie Wilson is a software engineer at Google, currently leading the Tekton project. Over the past decade, she has worked in the mobile, financial and video game industries. Prior to working at Google she led a team of software developers to build load testing tools for AAA video game titles, and founded the Vancouver chapter of PyLadies.

CI/CD for Machine Learning

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2S7lDiS. Sasha Rosenbaum shows how a CI/CD pipeline for Machine Learning can greatly improve both productivity and reliability. Filmed at qconsf.com. Sasha Rosenbaum is a Program Manager on the Azure DevOps engineering team, focused on improving the alignment of the product with open source software. She is a co-organizer of the DevOps Days Chicago and the DeliveryConf conferences, and recently published a book on Serverless computing in Azure with .NET.

Fault Tolerance at Speed

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/36epVKg. Todd Montgomery discusses the techniques and lessons learned from implementing Aeron Cluster. His focus is on how Raft can be implemented on Aeron, minimizing the network round trip overhead, and comparing single process to a fully distributed cluster. Filmed at qconsf.com. Todd Montgomery is a networking hacker who has researched, designed, and built numerous protocols, messaging-oriented middleware systems, and real-time data systems, done research for NASA, contributed to the IETF and IEEE, and co-founded two startups. He currently works as an independent consultant and is active in several open source projects.

Architectures That Scale Deep - Regaining Control in Deep Systems

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2FWc5Sk. Ben Sigelman talks about "Deep Systems", their common properties and re-introduces the fundamentals of control theory from the 1960s, including the original conceptualizations of Observability & Controllability. He uses examples from Google & other companies to illustrate how deep systems have damaged people's ability to observe software, and what needs to be done in order to regain control. Filmed at qconsf.com. Ben Sigelman is a co-founder and the CEO at LightStep, a co-creator of Dapper (Google’s distributed tracing system), and co-creator of the OpenTracing and OpenTelemetry projects (both part of the CNCF). His work and interests gravitate towards observability, especially where microservices, high transaction volumes, and large engineering organizations are involved.

ML in the Browser: Interactive Experiences with Tensorflow.js

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/39SddUL. Victor Dibia provides a friendly introduction to machine learning, covers concrete steps on how front-end developers can create their own ML models and deploy them as part of web applications. He discusses his experience building Handtrack.js - a library for prototyping real time hand tracking interactions in the browser. Filmed at qconsf.com. Victor Dibia is a Research Engineer with Cloudera’s Fast Forward Labs. Prior to this, he was a Research Staff Member at the IBM TJ Watson Research Center, New York. His research interests are at the intersection of human computer interaction, computational social science, and applied AI.

Build Your Own WebAssembly Compiler

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2s9T3Vl. Colin Eberhardt looks at some of the internals of WebAssembly, explores how it works “under the hood”, and looks at how to create a (simple) compiler that targets this runtime. Filmed at qconsf.com. Colin Eberhardt is the Technology Director at Scott Logic, a UK-based software consultancy where they create complex application for their financial services clients. He is an avid technology enthusiast, spending his evenings contributing to open source projects, writing blog posts and learning as much as he can.

User & Device Identity for Microservices @ Netflix Scale

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2S9tOgy. Satyajit Thadeshwar provides useful insights on how Netflix implemented a secure, token-agnostic, identity solution that works with services operating at a massive scale. He shares some of the lessons learned from this process, both from architectural diagrams and code. Filmed at qconsf.com. Satyajit Thadeshwar is an engineer on the Product Edge Access Services team at Netflix, where he works on some of the most critical services focusing on user and device authentication. He has more than a decade of experience building fault-tolerant and highly scalable, distributed systems.

Scaling Patterns for Netflix's Edge

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2Ezs08q. Justin Ryan talks about Netflix’ scalability issues and some of the ways they addressed it. He shares successes they’ve had from unintuitively partitioning computation into multiple services to get better runtime characteristics. He introduces us to useful probabilistic data structures, innovative bi-directional data passing, open-source projects available from Netflix that make this all possible. Filmed at qconsf.com. Justin Ryan is Playback Edge Engineering at Netflix. He works on some of the most critical services at Netflix, specifically focusing on user and device authentication. Years of building developer tools has also given him a healthy set of opinions on developer productivity.

Make Your Electron App Feel at Home Everywhere

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2Z4ZJjn. Kilian Valkhof discusses the process of making an Electron app feel at home on all three platforms: Windows, MacOS and Linux, making devs aware of the pitfalls and how to avoid them. Filmed at qconsf.com. Kilian Valkhof is a Front-end Developer & User-experience Designer at Firstversionist. He writes about various topics, from design to machine learning, on his personal website, kilianvalkhof.com and is a frequent contributer to open source software. He is part of the Electron governance team that oversees the development of the Electron framework.

The Talk You've Been Await-ing For

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/344PnB1. Steve Klabnik goes over the deep details of how async/await works in Rust, covering concepts like coroutines, generators, stack-less vs stack-ful, "pinning", and more. Filmed at qconsf.com. Steve Klabnik is on the core team of Rust, leads the documentation team, and is an author of "The Rust Programming Language." He is a frequent speaker at conferences and is a prolific open source contributor, previously working on projects such as Ruby and Ruby on Rails.

Future of Data Engineering

C4Media

Automated Testing for Terraform, Docker, Packer, Kubernetes, and More

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2rm4hFD. Yevgeniy Brikman talks about how to write automated tests for infrastructure code, including the code written for use with tools such as Terraform, Docker, Packer, and Kubernetes. Topics covered include: unit tests, integration tests, end-to-end tests, dependency injection, test parallelism, retries and error handling, static analysis, property testing and CI / CD for infrastructure code. Filmed at qconsf.com. Yevgeniy Brikman is the co-founder of Gruntwork, a company that provides DevOps as a Service. He is the author of two books published by O'Reilly Media: Hello, Startup and Terraform: Up & Running. Previously, he worked as a software engineer at LinkedIn, TripAdvisor, Cisco Systems, and Thomson Financial.

More from C4Media (20)

Streaming a Million Likes/Second: Real-Time Interactions on Live Video

Next Generation Client APIs in Envoy Mobile

Software Teams and Teamwork Trends Report Q1 2020

Understand the Trade-offs Using Compilers for Java Applications

Kafka Needs No Keeper

High Performing Teams Act Like Owners

Does Java Need Inline Types? What Project Valhalla Can Bring to Java

Service Meshes- The Ultimate Guide

Shifting Left with Cloud Native CI/CD

CI/CD for Machine Learning

Fault Tolerance at Speed

Architectures That Scale Deep - Regaining Control in Deep Systems

ML in the Browser: Interactive Experiences with Tensorflow.js

Build Your Own WebAssembly Compiler

User & Device Identity for Microservices @ Netflix Scale

Scaling Patterns for Netflix's Edge

Make Your Electron App Feel at Home Everywhere

The Talk You've Been Await-ing For

Future of Data Engineering

Automated Testing for Terraform, Docker, Packer, Kubernetes, and More

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Free Complete Python - A step towards Data Science

RinaMondal9

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

The Future of Platform Engineering

Jemma Hussein Allen

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Peter Spielvogel

Building better applications for business users with SAP Fiori. • What is SAP Fiori and why it matters to you • How a better user experience drives measurable business benefits • How to get started with SAP Fiori today • How SAP Fiori elements accelerates application development • How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities • How SAP Fiori paves the way for using AI in SAP apps

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

GridMate - End to end testing is a critical piece to ensure quality and avoid...

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Elevating Tactical DDD Patterns Through Object Calisthenics

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Free Complete Python - A step towards Data Science

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Epistemic Interaction - tuning interfaces to provide information for AI support

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

UiPath Test Automation using UiPath Test Suite series, part 5

National Security Agency - NSA mobile device best practices

20240605 QFM017 Machine Intelligence Reading List May 2024

The Future of Platform Engineering

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Essentials of Automations: The Art of Triggers and Actions in FME

Securing your Kubernetes cluster_ a step-by-step guide to success !

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Securing Serverless by Breaking in

1. snyk.io Securing Serverless -   By Breaking In Guy Podjarny, Snyk @guypod

2. InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site worldwide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ serverless-security-2017

3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com

4. snyk.io About Me • Guy Podjarny, @guypod on Twitter • CEO & Co-founder at Snyk • History: • Cyber Security part of Israel Defense Forces • First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan) • Security: Worked in Sanctum -> Watchﬁre -> IBM • Performance: Founded Blaze -> CTO @Akamai • O’Reilly author, speaker

5. snyk.io Serverless Security: The Theory  (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://snyk.io/blog/serverless-security-implications-from-infra-to-owasp/

6. snyk.io Today - straight to practice!

7. snyk.io Agenda • Show a demo serverless app • Hack it • Explain the security ﬂaws and how to ﬁx them • Summary • Q&A

8. snyk.io Going Terminal…

9. snyk.io Vulnerable Libraries

10. snyk.io Example: Fetch ﬁle & store in s3 (Serverless Framework Example) 19 Lines of Code 2 Direct dependencies 19 dependencies(incl. indirect) 191,155 Lines of Code

11. snyk.io

12. snyk.io Serverless does secure  OS dependencies Just not app dependencies

13. snyk.io 1. Beware Vulnerable Libraries  (test during dev, monitor over time)

14. snyk.io Side Note:  Snyk isn’t only for Serverless

15. snyk.io Denial of Service

16. snyk.io 2. ReDoS can still be costly  (won’t take you down, but can hike up bill)

17. snyk.io Beware  Resource Exhaustion Attacks Not all your services elastically scale

18. snyk.io Secrets

19. snyk.io 3. Avoid secrets in deployed code  (env variables aren’t enough - Use a KMS!)

20. snyk.io Serverless platforms oﬀer a  Key Management System Just use it!

21. snyk.io Granularity

22. snyk.io 4. Deploy granular functions  (shared function code = greater exposure)

23. snyk.io AWS Security Policy Easier Policy 3Policy 2 Policy 1 Safer

24. snyk.io Permissions

25. snyk.io 5. Use Granular Policies  (only allow each function its minimum permissions)

26. snyk.io A function is a perimeter That needs to be secured Perimeter Perimeter Perimeter Perimeter Perimeter

27. snyk.io Immutability

28. snyk.io 6. Don’t rely on immutability  (Lambda - and others - reuse servers)

29. snyk.io Serverless user is typically  Low Privilege Reducing impact substantially, but not eliminating it

30. snyk.io 7. Worry about all functions  (Every available function increases your attack surface)

31. snyk.io Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions Securing Data at rest Vulnerable OS Dependencies Denial of Service Long-lived Compromised Servers Third Party Services Attack Surface Security Monitoring Better Neutral Worse

32. snyk.io Serverless is deﬁned now.  Let’s build Security in. Thank You! Guy Podjarny, Snyk @guypod Don’t forget:   OSS Security AMA  2:55pm, Waterfront CDE

33. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ serverless-security-2017

Securing Serverless by Breaking in

Recommended

Recommended

More Related Content

Similar to Securing Serverless by Breaking in

Similar to Securing Serverless by Breaking in (20)

More from C4Media

More from C4Media (20)

Recently uploaded

Recently uploaded (20)

Securing Serverless by Breaking in