Wondering what is serverless (or FaaS) and how it impacts security risk? We will start with understanding how serverless is being used, the serverless architecture for IoT & AI, and examples of serverless applications. After which, we will go through the security impact of going serverless, then conclude with the top 10 serverless security risks and measures to mitigate them.
The Top 10 Most Common Weaknesses in Serverless Applications 2018PureSec
Top 10 Most Common Weaknesses in Serverless Applications (2018). By PureSec. A walkthrough of the Top 10 most common security mistakes and weaknesses found in serverless applications such as AWS Lambda and Azure Functions
Microsegmentation from strategy to executionAlgoSec
Organizations heavily invest in security solutions to keep their networks safe, but still struggle to close the security gaps. Micro-segmentation helps protect against the lateral movement of malware and minimizes the risk of insider threats. Micro-segmentation has received lots of attention as a possible solution, but many IT security professionals aren’t sure where to begin or what approach to take.
In this practical webinar, Prof. Avishai Wool, AlgoSec’s CTO and co-founder will guide you through each stage of a micro-segmentation project – from developing the correct micro-segmentation strategy to effectively implementing it and continually maintaining your micro-segmented network.
Register now for this live webinar and get a practical blueprint to creating your micro-segmentation policy:
What is micro-segmentation.
Common pitfalls in micro-segmentation projects and how to avoid them.
The stages of a successful micro-segmentation project.
The role of policy change management and automation in micro-segmentation.
Extend Enterprise Application-level Security to Your AWS EnvironmentImperva
When organizations shift to a public cloud environment, security and compliance must remain top of mind. While Amazon Web Services (AWS) provides robust infrastructure-level protections, today’s attackers target the applications themselves.
This presentation will:
- Discuss inherent AWS security capabilities
- Review attack types that target the applications and why traditional security approaches can’t stop them
- Illustrate how Imperva SecureSphere for AWS stops these attacks and enables you to use the security infrastructure in the cloud and on-premise
Best Practics for Automating Next Generation Firewall Change ProcessesAdi Gazit Blecher
Hear how AlgoSec seamlessly integrates with Palo Alto Networks NGFWs to simply and intelligently automate App-ID and User-ID security policy change workflows, business application connectivity mapping and compliance reporting across on-premise and cloud environments.
Is your database environment growing rapidly? Is your organization at greater risk from outside hacks and compromised user accounts? An organization needs to know how to effectively monitor databases in order to prevent data loss, and significantly reduce the time to discover security risks and minimize potential damage.
View this presentation and learn how to:
- Detect and block cyber security events in real-time
- Protect large and diverse database environments
- Extend data monitoring to your Big Data and AWS environments
- Simplify compliance enforcements and reporting
Tying cyber attacks to business processes, for faster mitigationMaytal Levi
Time is not on your side when managing security for a global enterprise and facing down a relentless barrage of cyber attacks. So when confronted with multiple suspect alerts flagged by your SIEM solution, you need a way to easily sift through and identify the attacks that will most likely impact key business processes – and quickly take action.
Presented by renowned industry expert Prof. Avishai Wool, this new webinar will cover security best practices for introducing business context into your organization’s incident response processes, and prioritizing and automating remediation efforts accordingly. This insight will give you the intelligence you need to reduce the time and cost of mitigating cyber attacks by orders of magnitude.
In this webinar Professor Wool will cover how to:
- Augment incident triage with critical business context to assess the severity, risk and potential business impact of an attack
- Prioritize incident remediation efforts based on business risk
- Neutralize impacted systems through zero-touch automation
- Limit the lateral movement of an attacker in, out and across your network
- Keep all stakeholders involved in the remediation process to reduce disruption to the business
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...AlgoSec
Around 60% of viewings can happen on-demand much of which occur during the first 24 hours after a live event. To help get the most viewings make sure you have switched on all the emails in the channel.
The Top 10 Most Common Weaknesses in Serverless Applications 2018PureSec
Top 10 Most Common Weaknesses in Serverless Applications (2018). By PureSec. A walkthrough of the Top 10 most common security mistakes and weaknesses found in serverless applications such as AWS Lambda and Azure Functions
Microsegmentation from strategy to executionAlgoSec
Organizations heavily invest in security solutions to keep their networks safe, but still struggle to close the security gaps. Micro-segmentation helps protect against the lateral movement of malware and minimizes the risk of insider threats. Micro-segmentation has received lots of attention as a possible solution, but many IT security professionals aren’t sure where to begin or what approach to take.
In this practical webinar, Prof. Avishai Wool, AlgoSec’s CTO and co-founder will guide you through each stage of a micro-segmentation project – from developing the correct micro-segmentation strategy to effectively implementing it and continually maintaining your micro-segmented network.
Register now for this live webinar and get a practical blueprint to creating your micro-segmentation policy:
What is micro-segmentation.
Common pitfalls in micro-segmentation projects and how to avoid them.
The stages of a successful micro-segmentation project.
The role of policy change management and automation in micro-segmentation.
Extend Enterprise Application-level Security to Your AWS EnvironmentImperva
When organizations shift to a public cloud environment, security and compliance must remain top of mind. While Amazon Web Services (AWS) provides robust infrastructure-level protections, today’s attackers target the applications themselves.
This presentation will:
- Discuss inherent AWS security capabilities
- Review attack types that target the applications and why traditional security approaches can’t stop them
- Illustrate how Imperva SecureSphere for AWS stops these attacks and enables you to use the security infrastructure in the cloud and on-premise
Best Practics for Automating Next Generation Firewall Change ProcessesAdi Gazit Blecher
Hear how AlgoSec seamlessly integrates with Palo Alto Networks NGFWs to simply and intelligently automate App-ID and User-ID security policy change workflows, business application connectivity mapping and compliance reporting across on-premise and cloud environments.
Is your database environment growing rapidly? Is your organization at greater risk from outside hacks and compromised user accounts? An organization needs to know how to effectively monitor databases in order to prevent data loss, and significantly reduce the time to discover security risks and minimize potential damage.
View this presentation and learn how to:
- Detect and block cyber security events in real-time
- Protect large and diverse database environments
- Extend data monitoring to your Big Data and AWS environments
- Simplify compliance enforcements and reporting
Tying cyber attacks to business processes, for faster mitigationMaytal Levi
Time is not on your side when managing security for a global enterprise and facing down a relentless barrage of cyber attacks. So when confronted with multiple suspect alerts flagged by your SIEM solution, you need a way to easily sift through and identify the attacks that will most likely impact key business processes – and quickly take action.
Presented by renowned industry expert Prof. Avishai Wool, this new webinar will cover security best practices for introducing business context into your organization’s incident response processes, and prioritizing and automating remediation efforts accordingly. This insight will give you the intelligence you need to reduce the time and cost of mitigating cyber attacks by orders of magnitude.
In this webinar Professor Wool will cover how to:
- Augment incident triage with critical business context to assess the severity, risk and potential business impact of an attack
- Prioritize incident remediation efforts based on business risk
- Neutralize impacted systems through zero-touch automation
- Limit the lateral movement of an attacker in, out and across your network
- Keep all stakeholders involved in the remediation process to reduce disruption to the business
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...AlgoSec
Around 60% of viewings can happen on-demand much of which occur during the first 24 hours after a live event. To help get the most viewings make sure you have switched on all the emails in the channel.
5 Steps to Reduce Your Window of VulnerabilitySkybox Security
Skybox Security offers advice and an immediately actionable plan to help you reduce your window of vulnerability and attack surface on your critical network infrastructure.
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
Presenter: David Zahn, PAS
Industrial control systems represent the brass ring for hackers who want to disrupt plant operations and negatively impact safety and productivity. The problem for cybersecurity professionals is that plants have highly vulnerable proprietary control systems where configuration data is not visible via standard WMI or SNMP calls. Yet, it is this same configuration data, such as I/O cards, firmware, installed software, and more, that hackers work hard to attain as it aids them in gaining control over industrial systems within plants.
As the saying goes, “you can’t manage what you can’t measure.” Taking inventory of this hidden configuration data and doing so for all control assets is difficult. Plants as a result fall short of achieving centralized, automated inventory – a cybersecurity best practice and a necessary precursor to effective change management. So how do you address change management when important security data is kept locked within each vendor’s distributed control systems, programmable logic controllers, and remote terminal units?
In this session, we’ll explore the types of inventory data that comprise a best practices cyber security plan. Next, we will dive into cost effective, accurate automation opportunities for inventory discovery and maintenance of heterogeneous proprietary and non-proprietary control assets. Finally, we’ll present a case study for implementing best practices for hardening ICS cyber security and automating management of change.
Agenda:
Building and Maintaining an Accurate ICS Inventory
Best Practices in Inventory Automation
Case Study
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
Software-Defined Security Bestows Simplicity
By:
Carson Sweet
CEO & Co-founder
CloudPassage
Once an over-hyped buzzword, software-defined security is now a high-value strategy seeing adoption by large enterprises across industries. Hear real implementations of solutions spanning multiple private, public and hybrid infrastructures.
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
Learn what nearly 1000 IT security professionals have to say about vulnerability management. Based on the findings of a Skybox global survey, see what works and what doesn't in vulnerability assessment, prioritization, and remediation, and how you can improve your program today. Learn the benefits of creating a formal policy that fits your organization, how to assess risk within the context of your organization, and how to create a mature program with continuous security to neutralize risk every day.
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementAlgoSec
Yonatan Klein, Director of Product Management (AlgoSec)
While your network extended beyond the confines of the physical data center and you started using Software Defined Networks (SDN) such as Cisco ACI, managing security policies within your hybrid estate is complex.
Each part of your network estate is managed in its own independent silo instead of being holistically managed.
Learn how to unify, consolidate and automate your entire network security policy management including both the Cisco ACI SDN fabric and elements outside the SDN fabric.
In this webinar, Yonatan Klein, Director of Product Management at AlgoSec, explains how to centralize your security policy management throughout your network and the unique challenges required to manage an SDN fabric, such as Cisco ACI, in order get the most out of your entire network.
He covers how to:
- Proactively assess risk throughout your network, including Cisco ACI contracts, and recommend the necessary changes to eliminate misconfigurations and compliance violations
- Gain full visibility and unify security policy management of your entire hybrid network estate, simulate traffic routes and security policy for ACI and other network devices
- Manage traffic change requests in a holistic manner, including automatically pushing security policy changes to Cisco ACI by creating contracts and filters to enforce data center whitelist policy; as well as identifying and provisioning changes to firewalls both within the ACI fabric as well as other network security controls that are on-premises and in the cloud
Application visibility across the security estate the value and the vision ...AlgoSec
Security policy management solutions enable security and operations teams to manage and optimize firewall policy, automate security policy changes and mitigate network security risk - all while avoiding misconfigurations, staying compliant and saving time and resources.
While this provides unprecedented value for network security visibility and management, these teams often lack the business context; the ability to assess the impact of network and firewall rule changes on the company’s business applications, application availability and business processes.
Join Yonatan Klein, Director Product Management at AlgoSec, as he explores why a security policy management solution should also offer application discovery and visibility to enable a truly business-driven approach to security policy management.
The webinar will cover:
Business-driven management of connectivity change requests while avoiding misconfigurations and miscommunications
Pro-active visibility of the security impact of application changes before applying them
How visibility into the applications associated with every firewall rule enhances auditing, compliance and policy cleanup
Clear visibility into the impact of new vulnerabilities and maintenance tasks on business processes
Different ways to discover network connectivity for existing applications
In this webinar, Dania Ben Peretz, Product Manager at AlgoSec, shows you how to:
Automate your network security policy changes without breaking core network connectivity
Analyze and recommend changes to your network security policies
Push network security policy changes with zero-touch automation to your multi-vendor security devices
Maximize the ROI of your existing security controls by automatically analyzing, validating, and implementing network security policy changes – all while seamlessly integrating with your existing business processes
Learn best practices and demonstrate specific techniques to help you ensure both a successful audit and maintain a state of continuous compliance with the upcoming PCI-DSS 3.2 standards.
Migrating Application Connectivity and Network Security to AWSAlgoSec
It’s now a given – most enterprises are moving at least some of their business applications to the cloud. Yet while the cloud is an extremely agile platform, it also adds a new level of complexity. Because, when it comes to network security, the cloud introduces a software-defined security architecture that is fundamentally different from the organization’s existing on-prem network. As a result, many enterprises are now struggling to migrate application connectivity to the cloud, and then manage cloud security controls alongside their traditional firewalls in a way that ensures security and compliance across their entire hybrid architecture.
Presented by renowned industry expert Prof. Avishai Wool, this new webinar will provide technical insight and security best practices for migrating and managing security across a hybrid on-premise - Amazon Web Services (AWS) environment
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
Presentation slides from Black Hat 2016. Presented by Sami Laine, Principal Technologist at CloudPassage & Aaron McKeown, Lead Security Architect of Xero.
Network Security Best Practices - Reducing Your Attack SurfaceSkybox Security
Delivered as a webinar, this slide deck provides best practices for gaining total visibility of your attack surface and ways to manage and reduce your risk, network vulnerabilities, and potential breaches
In this webinar you will learn about:
• Key industry metrics that compare security environments within and beyond the finance industry
• Network security policy management challenges that hamper digital transformation
• Overcoming security management complexity with automation for speed and accuracy
• Passing compliance audits in the face of demanding regulations
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Serverless security: how to protect what you don't see?
Jean Baptiste Aviat, Co-founder and CTO at Sqreen.io
What serverless means for enterprise appsSumit Sarkar
There’s a new approach to app development ripe with misconceptions and more buzzwords to translate to business sponsors. Industry analysts call it serverless, but it’s also known as backend as a service (BaaS), function as a service (FaaS), cloud-native architectures, or microservices—just to name a few. Whatever you call it, this approach is giving developers new freedom to focus on frontend functionality and deliver better, more innovative user experiences and ultimately establish value faster. Let’s discuss the pros and cons of serverless in enterprise architectures.
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
Until recently, major public cloud providers have offered relatively basic toolsets for identifying suspicious activity occurring inside customer accounts that may indicate a compromise. Some organizations have invested significant resources to build their own tools or have leveraged industry vendor offerings to provide this visibility. The reality is, that barrier has meant that a large number of organizations haven't dedicated those resources to this problem and therefore operate without sufficient detection and response capabilities that monitor their cloud accounts for compromise.
Amazon Web Services, Google Cloud Platform, and Microsoft Azure have recently launched a new set of native platform threat and anomalous behavior detection services to help their customers better identify and respond to certain issues and activities occurring inside their cloud accounts. From detecting crypto-currency mining to identifying bot-infected systems to alerting on suspicious cloud credential usage to triggering on cloud-specific methods of data exfiltration, these new services aim to make these kinds of detections much easier and simpler to centrally manage.
But what new and unique insights do they offer? What configuration is required to achieve the full benefits of these detections? What types of activities are not yet covered? What attack methods and techniques can avoid detection by these systems and still be successful? What practical guidelines can be followed to make the best use of these services in an organization?
Follow along as we attempt to answer these questions using practical demonstrations that highlight the real threats facing cloud account owners and how the new threat detection capabilities perform in reducing the risks of operating workloads in the public cloud.
5 Steps to Reduce Your Window of VulnerabilitySkybox Security
Skybox Security offers advice and an immediately actionable plan to help you reduce your window of vulnerability and attack surface on your critical network infrastructure.
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
Presenter: David Zahn, PAS
Industrial control systems represent the brass ring for hackers who want to disrupt plant operations and negatively impact safety and productivity. The problem for cybersecurity professionals is that plants have highly vulnerable proprietary control systems where configuration data is not visible via standard WMI or SNMP calls. Yet, it is this same configuration data, such as I/O cards, firmware, installed software, and more, that hackers work hard to attain as it aids them in gaining control over industrial systems within plants.
As the saying goes, “you can’t manage what you can’t measure.” Taking inventory of this hidden configuration data and doing so for all control assets is difficult. Plants as a result fall short of achieving centralized, automated inventory – a cybersecurity best practice and a necessary precursor to effective change management. So how do you address change management when important security data is kept locked within each vendor’s distributed control systems, programmable logic controllers, and remote terminal units?
In this session, we’ll explore the types of inventory data that comprise a best practices cyber security plan. Next, we will dive into cost effective, accurate automation opportunities for inventory discovery and maintenance of heterogeneous proprietary and non-proprietary control assets. Finally, we’ll present a case study for implementing best practices for hardening ICS cyber security and automating management of change.
Agenda:
Building and Maintaining an Accurate ICS Inventory
Best Practices in Inventory Automation
Case Study
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
Software-Defined Security Bestows Simplicity
By:
Carson Sweet
CEO & Co-founder
CloudPassage
Once an over-hyped buzzword, software-defined security is now a high-value strategy seeing adoption by large enterprises across industries. Hear real implementations of solutions spanning multiple private, public and hybrid infrastructures.
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
Learn what nearly 1000 IT security professionals have to say about vulnerability management. Based on the findings of a Skybox global survey, see what works and what doesn't in vulnerability assessment, prioritization, and remediation, and how you can improve your program today. Learn the benefits of creating a formal policy that fits your organization, how to assess risk within the context of your organization, and how to create a mature program with continuous security to neutralize risk every day.
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementAlgoSec
Yonatan Klein, Director of Product Management (AlgoSec)
While your network extended beyond the confines of the physical data center and you started using Software Defined Networks (SDN) such as Cisco ACI, managing security policies within your hybrid estate is complex.
Each part of your network estate is managed in its own independent silo instead of being holistically managed.
Learn how to unify, consolidate and automate your entire network security policy management including both the Cisco ACI SDN fabric and elements outside the SDN fabric.
In this webinar, Yonatan Klein, Director of Product Management at AlgoSec, explains how to centralize your security policy management throughout your network and the unique challenges required to manage an SDN fabric, such as Cisco ACI, in order get the most out of your entire network.
He covers how to:
- Proactively assess risk throughout your network, including Cisco ACI contracts, and recommend the necessary changes to eliminate misconfigurations and compliance violations
- Gain full visibility and unify security policy management of your entire hybrid network estate, simulate traffic routes and security policy for ACI and other network devices
- Manage traffic change requests in a holistic manner, including automatically pushing security policy changes to Cisco ACI by creating contracts and filters to enforce data center whitelist policy; as well as identifying and provisioning changes to firewalls both within the ACI fabric as well as other network security controls that are on-premises and in the cloud
Application visibility across the security estate the value and the vision ...AlgoSec
Security policy management solutions enable security and operations teams to manage and optimize firewall policy, automate security policy changes and mitigate network security risk - all while avoiding misconfigurations, staying compliant and saving time and resources.
While this provides unprecedented value for network security visibility and management, these teams often lack the business context; the ability to assess the impact of network and firewall rule changes on the company’s business applications, application availability and business processes.
Join Yonatan Klein, Director Product Management at AlgoSec, as he explores why a security policy management solution should also offer application discovery and visibility to enable a truly business-driven approach to security policy management.
The webinar will cover:
Business-driven management of connectivity change requests while avoiding misconfigurations and miscommunications
Pro-active visibility of the security impact of application changes before applying them
How visibility into the applications associated with every firewall rule enhances auditing, compliance and policy cleanup
Clear visibility into the impact of new vulnerabilities and maintenance tasks on business processes
Different ways to discover network connectivity for existing applications
In this webinar, Dania Ben Peretz, Product Manager at AlgoSec, shows you how to:
Automate your network security policy changes without breaking core network connectivity
Analyze and recommend changes to your network security policies
Push network security policy changes with zero-touch automation to your multi-vendor security devices
Maximize the ROI of your existing security controls by automatically analyzing, validating, and implementing network security policy changes – all while seamlessly integrating with your existing business processes
Learn best practices and demonstrate specific techniques to help you ensure both a successful audit and maintain a state of continuous compliance with the upcoming PCI-DSS 3.2 standards.
Migrating Application Connectivity and Network Security to AWSAlgoSec
It’s now a given – most enterprises are moving at least some of their business applications to the cloud. Yet while the cloud is an extremely agile platform, it also adds a new level of complexity. Because, when it comes to network security, the cloud introduces a software-defined security architecture that is fundamentally different from the organization’s existing on-prem network. As a result, many enterprises are now struggling to migrate application connectivity to the cloud, and then manage cloud security controls alongside their traditional firewalls in a way that ensures security and compliance across their entire hybrid architecture.
Presented by renowned industry expert Prof. Avishai Wool, this new webinar will provide technical insight and security best practices for migrating and managing security across a hybrid on-premise - Amazon Web Services (AWS) environment
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
Presentation slides from Black Hat 2016. Presented by Sami Laine, Principal Technologist at CloudPassage & Aaron McKeown, Lead Security Architect of Xero.
Network Security Best Practices - Reducing Your Attack SurfaceSkybox Security
Delivered as a webinar, this slide deck provides best practices for gaining total visibility of your attack surface and ways to manage and reduce your risk, network vulnerabilities, and potential breaches
In this webinar you will learn about:
• Key industry metrics that compare security environments within and beyond the finance industry
• Network security policy management challenges that hamper digital transformation
• Overcoming security management complexity with automation for speed and accuracy
• Passing compliance audits in the face of demanding regulations
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Serverless security: how to protect what you don't see?
Jean Baptiste Aviat, Co-founder and CTO at Sqreen.io
What serverless means for enterprise appsSumit Sarkar
There’s a new approach to app development ripe with misconceptions and more buzzwords to translate to business sponsors. Industry analysts call it serverless, but it’s also known as backend as a service (BaaS), function as a service (FaaS), cloud-native architectures, or microservices—just to name a few. Whatever you call it, this approach is giving developers new freedom to focus on frontend functionality and deliver better, more innovative user experiences and ultimately establish value faster. Let’s discuss the pros and cons of serverless in enterprise architectures.
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
Until recently, major public cloud providers have offered relatively basic toolsets for identifying suspicious activity occurring inside customer accounts that may indicate a compromise. Some organizations have invested significant resources to build their own tools or have leveraged industry vendor offerings to provide this visibility. The reality is, that barrier has meant that a large number of organizations haven't dedicated those resources to this problem and therefore operate without sufficient detection and response capabilities that monitor their cloud accounts for compromise.
Amazon Web Services, Google Cloud Platform, and Microsoft Azure have recently launched a new set of native platform threat and anomalous behavior detection services to help their customers better identify and respond to certain issues and activities occurring inside their cloud accounts. From detecting crypto-currency mining to identifying bot-infected systems to alerting on suspicious cloud credential usage to triggering on cloud-specific methods of data exfiltration, these new services aim to make these kinds of detections much easier and simpler to centrally manage.
But what new and unique insights do they offer? What configuration is required to achieve the full benefits of these detections? What types of activities are not yet covered? What attack methods and techniques can avoid detection by these systems and still be successful? What practical guidelines can be followed to make the best use of these services in an organization?
Follow along as we attempt to answer these questions using practical demonstrations that highlight the real threats facing cloud account owners and how the new threat detection capabilities perform in reducing the risks of operating workloads in the public cloud.
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSSoftware Guru
This session will present the different challenges for telco companies when they deploy support chatbots for clients, this is based on a real experience of working with chatbots in a
telco company Telefónica based on Guatemala and some countries in Central America.
Presentado por Sergio Méndez en SG Virtual Conference 2020
Measures to ensure Cyber Security in a serverless environmentFibonalabs
A serverless environment/architecture is a manner in which applications are run without any physical server or without a specific infrastructure. It is a virtual setup where the server along with the applications is managed via cloud computing. It has innumerable benefits.
Serverless security - how to protect what you don't see?Sqreen
Protecting serverless is a new topic. This presentation aims at showing what new security challenges it brings, and how CISO and security teams should approach it.
The serverless space evolves fast and there is no convergence on best practices yet. The switch to a serverless architecture involves several changes, for instance developers doing much more ops with serverless, deploying 20 times more services than previously...
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
The magnitude of the migration effort to the Cloud, the complexity of both customized apps and Cloud environments, and the requirement for ongoing app-level monitoring suggests the need for what Gartner calls a “programmable security infrastructure capable of supporting security policy ‘toolchains’.”
"The twelve-factor app principle is a methodology for building software as a service application and these best practices are designed to enable applications to be built with portability and resilience when deployed to the web. Lagom is a well-known framework for developing microservices. In this knolx session, we would be discussing the twelve-factor app principle with respect to lagom development. "
The Rise of Serverless Architecture in Web Development.docxSavior_Marketing
The rise of serverless architecture has been a significant trend in web development in recent years. Serverless architecture is a cloud computing model that allows developers to build and deploy applications without the need to manage traditional server infrastructure
Slidedeck from a talk I gave at Pivotal London - Cloud Native Apps Meetup: http://www.meetup.com/London-Pivotal-Cloud-Native-Apps-Meetup/events/224945388/
This is the deck from a talk I presented at Pivotal London - Cloud Native Apps Meetup:
http://www.meetup.com/London-Pivotal-Cloud-Native-Apps-Meetup/events/224945388/
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
Serverless architectures enable organizations to build and deploy software and services without having to maintain or provision any physical or virtual servers. Applications built using serverless architectures are suitable for a wide range of services, and can scale elastically as cloud workloads grow. From a software development perspective, organisations adopting serverless can focus on core product functionality, and completely disregard the underlying operating system, application server or software runtime environment. In essence, when you develop applications using serverless, you relieve yourself from the daunting task of having to constantly apply security patches for the underlying operating system and application servers – these tasks are now the responsibility of the serverless architecture provider.
However, the comfort and elegance of serverless architectures is not without its drawbacks – serverless architectures introduce a new set of security concerns that must be taken into consideration when coming to secure such applications. In this talk, we will present an overview of serverless architectures, the challenge of securing serverless applications, and an overview of the top 10 most common security concerns that developers, DevSecOps and architects should consider when designing and developing such applications. We will also demonstrate a unique CI/CD tool for hardening serverless projects during deployment time.
SpringOne Platform 2017
Mark Fisher, Pivotal
This live coding session will introduce Spring Cloud Function, from the basic programming model all the way to multicloud deployments. Along the way, we'll explore the current state of Java across Function-as-a-Service providers and demonstrate what role Spring can play in the Serverless world.
DeFi, short for Decentralized Finance, is a movement that aims to offer financial services and products that are open to everyone, without the need for intermediaries.
Fantastic Platforms: The Secrets of the Crypto-MetaverseVincent Lau
Technology has always been redefining the way we use platforms to work and play. Historically, Web
1.0 was an information superhighway of connected computers, where you can search and browse
through various centralized company’s platforms. Then at the turn of the millennium, Web 2.0
brought about cloud-based platforms that drove the monetization of user data, mainly through the
proliferation of social networks and e-commerce.
Today the advent of Web 3.0 has further lowered the barrier in creating and launching platforms,
giving rise to a whole new generation of decentralized platforms. While today’s metaverse is a
myriad of interconnected virtual spaces, which is just the World Wide Web accessed through virtual
reality, the rapid development in blockchain technology is fast converging us towards the metaverse
platform that sci-fi authors like Neal Stephenson and Ernest Cline originally envisioned.
As we enter into a new era of democratized and immersive platforms, what are the fantastic
opportunities we can take advantage of? How can crypto help us unlock the secrets of the
metaverse?
IoT Landscape and its Key Trends in DeploymentVincent Lau
Today, there are more than 31 billion Internet of Things (IoT) devices connected to the Internet. These devices range from simple sensors and actuators to smart equipment and appliances that have a huge impact on major industries such as manufacturing, transportation, healthcare and utilities. The vast amount of data collected from IoT device telemetry has also enabled advanced data analytics, and machine learning models that can give us better insights and make IoT smarter, giving rise to AIoT (AI + IoT) applications. With the pandemic situation likely to turn endemic, how will this impact the IoT landscape in Singapore? What are some of the key drivers and growth areas for IoT?
XR and the Future of Immersive TechnologyVincent Lau
Extended Reality (XR) is an umbrella term for Augmented Reality (AR), Virtual Reality (VR), Mixed Reality (MR), and any other kind of immersive technology. In just the last 5 years alone, XR has seen rapid adoption and development of immersive applications that are used in many sectors from Edutainment to Medical. Looking at the state of XR today, let us compare the differences between the various immersive technologies to understand their current limitations and the sectors that they are poised to disrupt. As we begin a new year with hope of a global recovery from the pandemic, we observe some key trends in XR development that will determine the future of immersive technology in the post-COVID world.
The last couple of years have seen rapid changes in the way mobile apps are developed and used. Looking at the current state of mobile app development, let us compare the differences between the various mobile tech stacks to understand the pros and cons of native apps vs hybrid apps vs progressive web apps. As we begin a new year with hope of a global recovery from the pandemic, we observe 11 key trends in mobile app development that will leave a lasting impact on many industries in the post-COVID world.
Emerging Technology Trends in the Post-COVID WorldVincent Lau
Decades of digital transformation has been accelerated by the pandemic to mere months. While many industries have been disrupted and jobs lost, the impending green recovery will bring about new job opportunities fueled by emerging technologies. Therefore, it is critical that ICT professionals start preparing themselves for the jobs of the future, especially in key areas of Industry 4.0, such as smart manufacturing, smart energy grids, smart building infrastructure, smart retail, and e-mobility. The emphasis on lifelong learning will help better position oneself to make a meaningful impact on today’s society.
Redefining Literacy in a Technologically Advanced WorldVincent Lau
The UNESCO definition of literacy is the ability to identify, understand, interpret, create, communicate and compute, but we have long equated literacy to just one's ability to read and write. In this modern age where global literacy rate is at an all-time high of more than 80%, the relevancy of literacy as we know it, is being challenged.
After taking a brief look at the historical milestones of literacy, we explore the different types of literacy identified in modern times, and how it gave rise to the increasingly popular rhetoric that coding is the new literacy. With this in mind, we examine the impact it will have on education and various industries, before taking a peek at what the future will bring.
Learning New Skills for the Digital AgeVincent Lau
Digital transformation is happening everywhere. The rapid speed of technological changes such as digitalisation, automation AI is resulting in skills obsolence and demand for new skill sets at a faster pace than ever before. It is critical that ICT professionals understand what skills they need to ride on the digitalisation wave and start up-skilling, learn and grow themselves to transit to the future job. How you prepare and position yourself for the future could make a great difference.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
2. Copyright 2018 Vincent Lau
Agenda
2
Introduction
● What is Serverless or FaaS
● IaaS vs CaaS vs PaaS vs FaaS
● How is Serverless Used
● Examples of Serverless Architecture for IoT & AI
3
Security Impact of Going Serverless
● Change in the Shared Responsibility Model
● From Denial-of-Service to Denial-of-Wallet
● Increased Attack Surface & System Complexity
10
Top 10 Serverless Security Risks & How to Mitigate Them 14
3. Copyright 2018 Vincent Lau
Introduction
What is Serverless or FaaS?
3
Apps where server-side logic written by the app
developer is running in stateless compute containers
that are event-triggered, ephemeral (may only last for
one invocation), and fully managed by a 3rd party
(e.g. AWS Lambda).
It is also known as “Functions as a Service” or "FaaS".
4. Copyright 2018 Vincent Lau
Introduction
Top FaaS Providers
4
Others
● IBM OpenWhisk
● Alibaba Function
Compute
● Iron Functions
● Auth0 Webtask
● Oracle Fn Project
● Kubeless
5. Copyright 2018 Vincent Lau
Introduction
Top Serverless Frameworks
5
Serverless Framework Languages
● Serverless Framework (Javascript,
Python, Golang)
● Apex (Javascript)
● ClaudiaJS (Javascript)
● Sparta (Golang)
● Gordon (Javascript)
● Zappa (Python)
● Up (Javascript, Python, Golang, Crystal)
6. Copyright 2018 Vincent Lau
Introduction
6
https://medium.com/@nnilesh7756/what-are-cloud-computing-services-iaas-caas-paas-faas-saas-ac0f6022d36e
7. Copyright 2018 Vincent Lau
Introduction
How is Serverless Used
7
Occasional Requests
• If a server app only processes one request
per minute
• It will take 50ms to process each request
• So the CPU usage over an hour is 0.1%
• If this app is deployed to its own dedicated
host, it would be very inefficient
Inconsistent Traffic
• If your traffic profile is very spiky
○ baseline traffic is 20 requests/second
○ but every 5 minutes you receive 200
requests/second for 10 seconds
• Auto-scaling is not a good option; by the time
your new instances have spun up, the spike
phase will be over.
Horizontal scaling is completely automatic, elastic, and managed by the provider, but
the biggest benefit is that you only pay for the compute that you need.
https://martinfowler.com/articles/serverless.html#FaasScaling
Costs
8. Copyright 2018 Vincent Lau
Introduction
Serverless Architecture of IoT
8
Jogging Lap Counter
● The IoT button is connected to a local wifi
network or a mobile hotspot.
● Button can record different types of presses:
Single click – add a lap
Double click – reset the counter
Long press – reset the counter
● A DynamoDB table counts the number of
laps per button.
https://www.thinkahead.com/blog/using-aws-iot-running-buddy/
9. Copyright 2018 Vincent Lau
Introduction
Serverless Architecture of AI
9
https://chatbotsmagazine.com/a-serverless-event-driven-architecture-for-
chatbots-3095eb40cbb7
10. Copyright 2018 Vincent Lau
Security Impact of Going Serverless
Change in the Shared Responsibility Model
10
https://aws.a
mazon.com/
compliance/
shared-
responsibilit
y-model/
11. Copyright 2018 Vincent Lau
Security Impact of Going Serverless
From Denial-of-Service to Denial-of-Wallet
11
A serverless platform would just scale to continue handling all the requests it needed to,
and would be near impossible to DDoS.
BUT… Somebody still has to pay!
Even with the microbilling structure of FaaS, being hit with a few thousand requests per
second will still give you a hefty bill.
Hence, this is now known as a Denial of Wallet attack.
DOS (usually malicious) is an interruption in an authorized user's access to a cloud
service. It is often accomplish by flooding the target with traffic, or sending it information
that triggers a crash.
12. Copyright 2018 Vincent Lau
Security Impact of Going Serverless
Increased Attack Surface
12
Serverless functions consume data from multiple
event sources:
● HTTP APIs
● message queues
● cloud storage
● IoT device communications
Attack surface induces protocols and complex
message structures, which are hard to inspect by a
typical web application firewall.
Attack surface is complex, and the architecture is
relatively new to developers, hence the chances of
misconfiguration is very high.
13. Copyright 2018 Vincent Lau
Security Impact of Going Serverless
Overall System Complexity
13
Apps developed with serverless
architecture are:
● Difficult to visualize and monitor
● Difficult to run automated security
scans
● Difficult to test locally
Units of integration with FaaS are a lot
smaller than with other architectures,
resulting with higher reliance on
integration testing.
FaaS also takes DevOps out of the
picture!
14. Copyright 2018 Vincent Lau
Security Impact of Going Serverless
Top 10 Serverless Security Risks & How to
Mitigate Them
14
Function Event Data Injection
• Occurs when an untrusted input is passed
directly to an interpreter and gets
executed or evaluated
• Multiple event sources increases the
potential attack surface and introduces
complexities
• E.g. Cloud storage events, Stream
processing events, Message queue events
Broken Authentication
• Serverless apps architected in microservices-
like system design often contain many distinct
functions with their own purpose
• Some may expose public web APIs, while
others may serve as a proxy to different
functions or processes
• E.g. Exposing Unauthenticated Entry Point via
S3 Bucket with Public Access
https://dzone.com/articles/top-10-security-risks-in-serverless
15. Copyright 2018 Vincent Lau
Security Impact of Going Serverless
Top 10 Serverless Security Risks & How to
Mitigate Them
15
Insecure Serverless Deployment
Configuration
• Serverless architecture is relatively new, the
probability of misconfiguring critical
configuration settings are quite high
• Make functions stateless while designing
serverless architectures
• Do not expose sensitive data to any
unauthorized personnel
Over-Privileged Function Permissions and
Roles
• Follow the principle of “Least Privilege”,
functions should only be given necessary
privileges to perform the intended logic
• Provisioning over privileges to a function could
end up being abused to perform unintended
operations, such as “Executing System
Functions”
16. Copyright 2018 Vincent Lau
Security Impact of Going Serverless
Top 10 Serverless Security Risks & How to
Mitigate Them
16
Inadequate Function Monitoring and
Logging
• To achieve adequate real-time security
event monitoring with proper audit trail:
○ Collect real-time logs from different
functions and cloud services
○ Push these logs to a remote security
information and event management
(SIEM) system
Insecure 3rd Party Dependencies
• Serverless function is required to depend on
3rd party software packages, open source
libraries, and consume 3rd party remote web
services through API calls
• Look at 3rd party dependencies before
importing their code as they could be
vulnerable and can make the serverless
application susceptible to cyber attacks
17. Copyright 2018 Vincent Lau
Security Impact of Going Serverless
Top 10 Serverless Security Risks & How to
Mitigate Them
17
Insecure Application Secrets Storage
• Need for storing and maintaining app
secrets such as :
○ API keys
○ Database credentials
○ Encryption keys
○ Sensitive configuration settings
• Encrypt environment variables and don’t
store plaintext secrets (e.g. AWS Key
Management Service)
Denial of Service and Financial Resource
Exhaustion (a.k.a Denial of Wallet)
• Define execution limits:
○ Per-execution memory allocation
○ Per-execution ephemeral disk capacity
○ Per-execution number of processes and threads
○ Maximum execution duration per function
○ Maximum payload size
○ Per-account concurrent execution limit
○ Per-function concurrent execution limit
• Use an API Management Gateway
18. Copyright 2018 Vincent Lau
Security Impact of Going Serverless
Top 10 Serverless Security Risks & How to
Mitigate Them
18
Functions Execution Flow Manipulation
• Functions are chained; invoking a specific
function may invoke another function, thus
the order of invocation is critical for
achieving the desired logic
• Manipulating an application's flow will help
an attacker to subvert the application logic
in bypassing access controls, elevating user
privileges or even cause DoS attacks
Improper Exception Handling and Verbose
Error Messages
• Line-by-line debugging is more complicated
and limited for serverless apps
• Verbose error messages, such as stack traces
or syntax errors, expose internal logic of the
serverless function, revealing potential
weakness, flaws, or sensitive data
• Developers must remember to clean up
19. Copyright 2018 Vincent Lau
Q & A
Thank you
19
Let’s connect via
http://sg.linkedin.com/in/vincentktlau