Serverless and the Way Forward

November 15, 2016
Serverless and the Way Forward
James Wickett // @wickett

November 15, 2016@WICKETT
JAMES WICKETT
๏ Head of Research at Signal
Sciences
๏ Author at Lynda/LinkedIn Training
for DevOps Fundamentals course
releasing in the next week!
๏ Blogger at theagileadmin.com and
labs.signalsciences.com

DEVOPS ROADMAP
FOR SECURITY
http://info.signalsciences.com/book

๏ Web App Firewall for modern workloads
๏ Cloud-native and devops friendly
๏ Answer the questions: Am I being attacked
right now? Are attackers becoming
successful?
๏ We are hiring (Golang, appsec, devops)
@WICKETT

CONCLUSION
๏ Serverless encourages functions as deploy
units, coupled with third party services
that allow running end-to-end applications
without worrying about system operation.
๏ New serverless patterns are just emerging
๏ Security with serverless is easier
๏ Security with serverless is harder

CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline Security
๏ Data Flow Security
๏ Attack Detection

WHAT IS
SERVERLESS?

MISCONCEPTIONS

IT’S MARKETING
(CLOUD REBRANDED)

SERVERLESS ==
NO SERVERS

SERVERLESS ==
CLOUD

SERVERLESS ==
BACKEND AS A
SERVICE

SERVERLESS ==
PLATFORM AS A
SERVICE

SO, WHAT IS
SERVERLESS?

http://martinfowler.com/articles/serverless.html

@MIKEBROBERTS

Serverless was first used
to describe applications
that significantly or fully
depend on 3rd party
applications / services (‘in
the cloud’) to manage
server-side logic and
state.

Serverless can also mean
applications where some amount
of server-side logic is still written
by the application developer but
unlike traditional architectures is
run in stateless compute
containers that are event-
triggered, ephemeral (may only
last for one invocation), and fully
managed by a 3rd party.

HISTORY OF SERVERLESS
๏ 2012 - used to describe BaaS and Continuous Integration
services run by third parties
๏ Late 2014 - AWS launched Lambda
๏ July 2015 - AWS launched API Gateway
๏ October 2015 - AWS re:Invent - The Serverless company
using AWS Lambda
๏ 2015 to present - Frameworks forming
๏ 2016 - Serverless Conference
http://www.slideshare.net/AmazonWebServices/arc308-
the-serverless-company-using-aws-lambda

Client
Server
Database
Proxy/LB
Server
Server

Client
Auth Service API Gateway
Database
Service
Function A
Function B
Web Delivery

WHAT CAN WE SAY
IS SERVERLESS?

SERVERLESS IS
FUNCTIONS AS A
SERVICE (FaaS)

BUT, BUT…
CONTAINERS!

CONTAINERS …
ON DEMAND

SERVERLESS IS
(NO MANAGEMENT OF)
SERVERS

SERVERLESS IS
SERVICEFULL

SERVERLESS IS AN
OPINIONATED FRAMEWORK
FOR COMPUTE

Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end applications
without worrying about
system operation.

A SHORT HISTORY
OF CLOUD

VIRTUALIZATION

“THE CLOUD”

DEVOPS

SaaS
PaaS
IaaS

PRIVATE CLOUD

THEN, ALONG
CAME CONTAINERS

CONTAINERS ARE
TEH HAWTNESS

LOTS OF EFFORT IN
CONTAINER
ORCHESTRATION

THE CLOUD WAS TO
VIRTUALIZATION AS
SERVERLESS WILL
BE TO CONTAINERS

IF YOU WANT TO LEAD YOUR
COMPANY BRAVELY INTO THE
NEW WORLD, YOU WOULD DO
WELL TO FOCUS LOT ON HOW
SERVERLESS WILL EVOLVE.
- @CLOUDOPINION
https://medium.com/@cloud_opinion/the-pattern-may-
repeat-26de1e8b489d

SO, WHAT ARE THE
UPSIDES?

SCALING BUILT IN

PAY FOR WHAT YOU
USE IN 100MS
INCREMENTS

WITH SERVERLESS
SYSTEM ADMINISTRATION
IS (MOSTLY) LOWER

SERVERLESS IS
IMPLICIT
MICROSERVICES

SHORT CIRCUITS OPS
AND MOVES
INFRASTRUCTURE
RUNTIME CLOSER TO
DEVS

YOU CAN SKIP
CHEFFING DOCKERING
ALL THE THINGS!

LEAN STARTUP
FRIENDLY

INCREASED
VELOCITY

GREAT, WHAT’S
THE CATCH?

OPS BURDEN TO
RATIONALIZE
SERVERLESS MODEL
(SPECIFICALLY DEPLOY)

MONITORING

LOGGING

STATELESS FOR REAL NO
MEMORY PERSISTENCE
ACROSS FUNCTION RUNS

VENDOR LOCK-IN

SECURITY

RELIABILITY

SERVERLESS USE
CASES

IMAGE RESIZING

QUEUE PROCESSING

RUN A WEB
APPLICATION

API GATEWAY

CI/CD

LICENSING

SECURITY IS THE
SAME AND DIFFERENT

EVERYTHING IS
HTTP(S)

WHAT USED TO BE
SYSTEM CALLS IS
NOW DISTRIBUTED
COMPUTING OVER
THE NETWORK

SERVERLESS SHIFTS
ATTACK SURFACE TO
THIRD PARTIES

LETS TRY A SAMPLE
APPLICATION IN AWS

๏ Golang!
๏ AWS Lambda supports bring your own
binary
๏ Sparta wraps your binary with node.js shim

OTHER OPTIONS
๏ Serverless Framework
๏ APEX
๏ Kappa

WORDY
๏ Analyzes textual
occurrences given a block
of text, returns JSON
count of words
๏ Calls API under the hood
to get text
๏ It is comprised of
Lambda, s3, API Gateway

go run main.go provision -s S3_BUCKET

WHAT I LEARNED
ABOUT SERVERLESS
SECURITY

FOUR AREAS OF
SERVERLESS SECURITY
๏ Secure Software Supply Chain
๏ Delivery Pipeline
๏ Data Flow Security
๏ Attack Detection

SURFACE AREA
REDUCTION!

SURFACE AREA
EXPANSION!

SSL / TLS FROM
THE PROVIDER

DNS!

LAMBDA + S3 +
KINESIS + DYNAMODB
+ CLOUDFORMATION +
API GATEWAY + AUTH0

USE A THIRD-PARTY
SERVICE FOR CONFIG
CHANGES

ACCESS CONTROL

DELIVERY PIPELINE
SECURITY

UNIT TESTING

INTEGRATION
TESTING

CONFIGURATION IS
PART OF DELIVERY

PROVIDER SECURITY
๏ Disable root access keys
๏ Manage users with profiles
๏ Secure your keys in your deploy system
๏ Secure keys in dev system
๏ Use provider MFA

SIMPLE DEPLOY
PIPELINE SECURITY
๏ Only dev keys can push to ‘dev’
๏ Only build/deploy system can push to pre-
prod
๏ Integration tests must pass in this env
๏ Security validation must take place
๏ Allow push to prod, only by deploy system

SECURITY INTEGRATION
TESTING
๏ BDD-Security - github.com/
continuumsecurity/bdd-security
๏ Gauntlt - gauntlt.org

http://www.slideshare.net/wickett/pragmatic-security-and-
rugged-devops-sxsw-2015

DATA FLOW
SECURITY
๏ Development
๏ Data Flow
Diagrams
๏ Threat modeling
๏ Runtime

Application layer
DoS

TIMEOUTS AND
EXECUTION
RESTRICTIONS

HTTP / HTTPS

ATTACK
DETECTION

DEVELOPMENT
๏ Normal OWASP tooling
๏ Language filtering and more

APPSEC PROBLEMS

DEFENSE
๏ Logging, emitting events
๏ Vandium (SQLi) wrapper
๏ Content Security Policy (CSP)
๏ More work needs to be done here…

LET’S TALK!
๏ james@signalsciences.com
๏ @wickett
๏ http://info.signalsciences.com/book

Serverless and the Way Forward

More Related Content

Viewers also liked

Similar to Serverless and the Way Forward

More from Sonatype

Recently uploaded

Serverless and the Way Forward