Protecting serverless is a new topic. This presentation aims at showing what new security challenges it brings, and how CISO and security teams should approach it.
The serverless space evolves fast and there is no convergence on best practices yet. The switch to a serverless architecture involves several changes, for instance developers doing much more ops with serverless, deploying 20 times more services than previously...
8. Ad-hoc usage: easier to deploy
Dynamically configure cloud elements, transform data on the go, comply to
cloud vendors requirements.
Teams use it to circumvent processes / CI / deploy.
Native serverless applications
Build applications designed for serverless infrastructures.
10. Dev Sec
Ops
Dev Sec
Ops
Dev Sec
Ops
Serverless forces bridging dev, sec & ops
Monolithic app Microservices Serverless
11. What “serverless” means is moving too fast
Edge serverless, ad-hoc, infra
Scale is different (1 monolithic app → 5 micro services → 100 serverless functions)
No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for
this scale and pace!)
The space didn’t reach maturity yet:
● No commonly accepted best practices, but a broad variety of best practices
● Evolving fast
15. Use infrastructure as code (Terraform, Cloud Formation, …)
Shift your infrastructure left
● With serverless, a part of the business logic is handled by the infrastructure
● Serverless app developers own both the code and a part of the infrastructure
Use principle of least privilege for your lambdas (but with reasonable granularity!)
Monitor your costs (and be ready to block abuses)
* Network, encryption, mutual authentication is
mostly ensured by proper cloud services usage.
But is much simpler than for microservices*
16. Keep best practices
Injections
Vulnerable dependencies
Lack of monitoring
AuthN / AuthZ issues
OWASP top 10
Scalability & coherency
Design strong functions
frameworks
(CI, deployment, logging
frameworks, …)
NEW
17. New functions appear and disappear at a highest rate than ever
Leverage developer’s tools as much as possible to:
● Monitor security controls are applied
● Monitor the permissions used
● Ensure production doesn’t drift vs IaC
IaC / Terraform make
it easy to inspect
IaC / Terraform allows to apply static
control (and break CI if needed)
Cloud APIs allow to dynamically list
and inspect running containers
18. ● Maintain the OWASP top 10
● Adopt a strong cloud security posture
● Generalize principle of least privilege
● Generalize IaC (Terraform, ...)
● Leverage cloud APIs to automate
controls and monitoring
● Monitor serverless cost
● Ensure coherency amongst functions
deployments
OWASP top 10
Cloud security posture
Serverless cost monitoring
Unified deployments
19. Use Serverless framework or Terraform
● With safe, relevant examples
● Coupled with CI
Provide relevant & safe code examples
● Using ORM / validation / log / …
● Coupled with CI
Prepare provisioning for:
● A working deployment
● CI job to deploy & run linting / static analysers
Document how to deploy secrets
Git repositories best practices:
● Mandatory pull requests
● Require a CODEOWNERS file
● Lock master
20. Complexity shifts to the
infrastructure
Serverless = different kind
of ops - not no ops!
Some risks occur 20 times
more
● Serverless shifts complexity from application code to
the infrastructure.
● Serverless doesn’t mean no ops but:
● Different kind of ops are done by different personas
● Ops are much simpler compared to microservices
(mTLS, peer to peer, etc.)
● Some security risks occur more (20 times more!),
some new ones appear, and a few ones disappear.
● Cloud security takes a much more important stance.
● Scaling development practices (CI, CD, frameworks,
BoM) becomes a requirement
Cloud security is more
important than ever
Scaling best practices
becomes a necessity
21.
22. CSA - The 12 Most Critical Risks for
Serverless Applications
OWASP top 10
OWASP serverless top 10
Serverless framework
Terraform, CloudFormation
CODEOWNERS (Github, Gitlab)
AppSec Builders podcast
Or get in touch / ask me directly:
Email: jb@sqreen.io
Twitter: @jbaviat
Podcast: