Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2HlRF8r. Guy Podjarny breaks into a vulnerable serverless application and exploits multiple weaknesses, helping understand the mistakes that can be made, their implications, and how to avoid them. Filmed at qconlondon.com. Guy Podjarny is a cofounder at Snyk.io, focusing on open source and cloud security. He was previously CTO at Akamai following their acquisition of his startup, Blaze.io, and worked on the first web app firewall & security code analyzer. He is a frequent conference speaker, the author of "Responsive & Fast”, “High Performance Images” and the upcoming “Securing Open Source Code”.

1. snyk.io
Securing Serverless -
By Breaking In
Guy Podjarny, Snyk
@guypod

2. InfoQ.com: News & Community Site
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
serverless-security-2018
• Over 1,000,000 software developers, architects and CTOs read the site world-
wide every month
• 250,000 senior developers subscribe to our weekly newsletter
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• 2 dedicated podcast channels: The InfoQ Podcast, with a focus on
Architecture and The Engineering Culture Podcast, with a focus on building
• 96 deep dives on innovative topics packed as downloadable emags and
minibooks
• Over 40 new content items per week

3. Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon London
www.qconlondon.com

4. snyk.io
About Me
• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History:
• Cyber Security part of Israel Defense Forces
• First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan)
• Security: Worked in Sanctum -> Watchfire -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker

5. snyk.io
Serverless Security: The Theory
(talk from ServerlessConf)
https://www.youtube.com/watch?v=CiyUD_rI8D8
https://www.infoq.com/articles/serverless-security

6. snyk.io
Today - straight to practice!

7. snyk.io
Agenda
• Show a demo serverless app
• Hack it
• Explain the security flaws and how to fix them
• Summary
• Q&A

8. snyk.io
Going Terminal…

9. snyk.io
Vulnerable Libraries

10. snyk.io
Example: Fetch file & store in s3
(Serverless Framework Example)
19 Lines of Code
2 Direct dependencies
19 dependencies(incl. indirect)
191,155 Lines of Code

11. snyk.io

12. snyk.io
Serverless does secure
OS dependencies
Just not app dependencies

13. snyk.io
1. Beware Vulnerable Libraries
(test during dev, monitor over time)

14. snyk.io
Side Note:
Snyk isn’t only for Serverless

15. snyk.io
Denial of Service

16. snyk.io
2. ReDoS can still be costly
(won’t take you down, but can hike up bill)

17. snyk.io
Beware
Resource Exhaustion Attacks
Not all your services elastically scale

18. snyk.io
Secrets

19. snyk.io
3. Avoid secrets in deployed code
(env variables aren’t enough - Use a KMS!)

20. snyk.io
Serverless platforms offer a
Key Management System
Just use it!

21. snyk.io
Granularity

22. snyk.io
4. Deploy granular functions
(shared function code = greater exposure)

23. snyk.io
AWS Security Policy
Easier
Policy 3Policy 2
Policy 1
Safer

24. snyk.io
Permissions

25. snyk.io
5. Use Granular Policies
(only allow each function its minimum permissions)

26. snyk.io
A function is a perimeter
That needs to be secured
Perimeter Perimeter
Perimeter
Perimeter
Perimeter

27. snyk.io
Immutability

28. snyk.io
6. Don’t rely on immutability
(Lambda - and others - reuse servers)

29. snyk.io
Serverless user is typically
Low Privilege
Reducing impact substantially, but not eliminating it

30. snyk.io
7. Worry about all functions
(Every available function increases your attack surface)

31. snyk.io
Security in Serverless
Vulnerabilities in your code
Vulnerable App Dependencies
Permissions
Securing Data at rest
Vulnerable OS Dependencies
Denial of Service
Long-lived Compromised
Servers
Third Party Services
Attack Surface
Security Monitoring
Better Neutral Worse

32. snyk.io
Serverless is defined now.
Let’s build Security in.
Thank You!
Guy Podjarny, Snyk
@guypod
More to come:
Microservices Panel, Mon, 5:25pm
Serverless AMA, Wed, 2:55pm

33. Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
serverless-security-2018