securing serverless by breaking in
play

Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod - PowerPoint PPT Presentation

May 27, 2023 •45 likes •345 views

Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod snyk.io About Me Guy Podjarny, @guypod on Twitter CEO & Co-founder at Snyk History: Cyber Security part of Israel Defense Forces First Web App Firewall

  1. Securing Serverless - 
 By Breaking In Guy Podjarny, Snyk @guypod snyk.io

  2. About Me • Guy Podjarny, @guypod on Twitter • CEO & Co-founder at Snyk • History: Cyber Security part of Israel Defense Forces • First Web App Firewall (AppShield), Dynamic/Static Tester (AppScan) • Security : Worked in Sanctum -> Watchfire -> IBM • Performance : Founded Blaze -> CTO @Akamai • • O’Reilly author, speaker snyk.io

  3. Serverless Security: The Theory 
 (talk from ServerlessConf) https://www.infoq.com/articles/serverless-security https://www.youtube.com/watch?v=CiyUD_rI8D8 snyk.io

  4. Today - straight to practice! snyk.io

  5. Agenda • Show a demo serverless app • Hack it • Explain the security flaws and how to fix them • Summary • Q&A snyk.io

  6. Going Terminal… snyk.io

  7. Vulnerable Libraries snyk.io

  8. Example: Fetch file & store in s3 (Serverless Framework Example) 2 Direct dependencies 19 dependencies (incl. indirect) 191,155 Lines of Code 19 Lines of Code snyk.io

  9. snyk.io

  10. Serverless does secure 
 OS dependencies Just not app dependencies snyk.io

  11. 1. Beware Vulnerable Libraries 
 (test during dev, monitor over time) snyk.io

  12. Side Note: 
 Snyk isn’t only for Serverless snyk.io

  13. Denial of Service snyk.io

  14. 2. ReDoS can still be costly 
 (won’t take you down, but can hike up bill) snyk.io

  15. Beware 
 Resource Exhaustion Attacks Not all your services elastically scale snyk.io

  16. Secrets snyk.io

  17. 3. Avoid secrets in deployed code 
 (env variables aren’t enough - Use a KMS!) snyk.io

  18. Serverless platforms o ff er a 
 Key Management System Just use it! snyk.io

  19. Granularity snyk.io

  20. 4. Deploy granular functions 
 (shared function code = greater exposure) snyk.io

  21. Safer Easier AWS Security Policy Policy 1 Policy 2 Policy 3 snyk.io

  22. Permissions snyk.io

  23. 5. Use Granular Policies 
 (only allow each function its minimum permissions) snyk.io

  24. A function is a perimeter That needs to be secured Perimeter Perimeter Perimeter Perimeter Perimeter snyk.io

  25. Immutability snyk.io

  26. 6. Don’t rely on immutability 
 (Lambda - and others - reuse servers) snyk.io

  27. Serverless user is typically 
 Low Privilege Reducing impact substantially, but not eliminating it snyk.io

  28. 7. Worry about all functions 
 (Every available function increases your attack surface) snyk.io

  29. Security in Serverless Better Neutral Worse Vulnerable OS Dependencies Permissions Third Party Services Denial of Service Securing Data at rest Attack Surface Long-lived Compromised Vulnerabilities in your code Security Monitoring Servers Vulnerable App Dependencies snyk.io

  30. Serverless is defined now. 
 Let’s build Security in. Thank You! More to come: 
 Microservices Panel, Mon, 5:25pm 
 Serverless AMA, Wed, 2:55pm Guy Podjarny, Snyk @guypod snyk.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet

Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet

Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions

410 views • 40 slides
Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
Serverless On Your Own Terms Using Knative Context Serverless more than Function Serverless

Serverless On Your Own Terms Using Knative Context Serverless more than Function Serverless

Serverless at Google @mchmarny Serverless On Your Own Terms Using Knative Context Serverless more than Function Serverless Models Operator No Infra Management Managed Security Pay only for usage Developer Service-based Event-driven Open

1.06k views • 51 slides
How Serverless Changes the IT Department Paul Johnston Opinionated Serverless Person

How Serverless Changes the IT Department Paul Johnston Opinionated Serverless Person

How Serverless Changes the IT Department Paul Johnston Opinionated Serverless Person Serverless all the things Medium/Twitter: @PaulDJohnston Velocify Conf London 2018 Paul Johnston Experienced Interim CTO and Serverless Consultant

1.11k views • 63 slides
Serverless Gardens IoT + Serverless johncmckim.me twitter.com/@johncmckim

Serverless Gardens IoT + Serverless johncmckim.me twitter.com/@johncmckim

Serverless Gardens IoT + Serverless johncmckim.me twitter.com/@johncmckim medium.com/@johncmckim John McKim Software Engineer at A Cloud Guru Contribute to Serverless Framework @johncmckim https://acloud.guru Serverless Framework

814 views • 50 slides
Databases Gone Serverless Alkin Tezuysal (@ask_dba) Sr. Technical Manager, Percona Who am I?

Databases Gone Serverless Alkin Tezuysal (@ask_dba) Sr. Technical Manager, Percona Who am I?

Databases Gone Serverless Alkin Tezuysal (@ask_dba) Sr. Technical Manager, Percona Who am I? @ask_dba 2 Agenda Serverless Architectures Serverless Solutions in Database World Wheres Serverless technology going? 3 What does

796 views • 20 slides
Kotlin Serverless Framework Vladislav Tankov What is serverless? cloud-computing execution model

Kotlin Serverless Framework Vladislav Tankov What is serverless? cloud-computing execution model

Kotlin Serverless Framework Vladislav Tankov What is serverless? cloud-computing execution model , in which the cloud provider runs the server and dynamically manages the allocation of machine resources Wikipedia How are serverless

995 views • 46 slides
Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud

Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud

Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud Provider Mohammad Shahrad , Rodrigo Fonseca , igo Goiri, Gohar Chaudhry, Paul Batum, Jason Cooke, Eduardo Laureano, Colby Tresness, Mark

2.05k views • 39 slides
FaaS You Like It! @ewanslater Serverless CNCF Definition Serverless computing refers to

FaaS You Like It! @ewanslater Serverless CNCF Definition Serverless computing refers to

FaaS You Like It! @ewanslater Serverless CNCF Definition Serverless computing refers to the concept of building and running applications that do not require server management . It describes a finer-grained deployment model where

613 views • 45 slides
Lunch and Learn John McKim @johncmckim Software Engineer A Cloud Guru Serverless Framework

Lunch and Learn John McKim @johncmckim Software Engineer A Cloud Guru Serverless Framework

Lunch and Learn John McKim @johncmckim Software Engineer A Cloud Guru Serverless Framework Contributor Serverless Framework https://serverless.com What is Serverless? Functions as a Service Properties of FaaS Services Function as unit of

570 views • 12 slides
The Hitchhikers Guide to Serverless JavaScript Steve Faulkner @southpolesteve

The Hitchhikers Guide to Serverless JavaScript Steve Faulkner @southpolesteve

The Hitchhikers Guide to Serverless JavaScript Steve Faulkner @southpolesteve Director of Engineering Serverless Serverless there are still servers servers platforms! * as a Service Database-aaS Caching-aaS

1.12k views • 87 slides
Catalyst Ubers Serverless Platform Shawn Burke - Staff Engineer Uber Seattle Why Serverless?

Catalyst Ubers Serverless Platform Shawn Burke - Staff Engineer Uber Seattle Why Serverless?

Catalyst Ubers Serverless Platform Shawn Burke - Staff Engineer Uber Seattle Why Serverless? Complexity! Microservices, Languages, Client Libs, Tools Product teams have basic infrastructure needs Stable, consistent app

372 views • 15 slides
Stateful Serverless Sean Walsh @SeanWalshEsq We predict that Serverless Computing will grow

Stateful Serverless Sean Walsh @SeanWalshEsq We predict that Serverless Computing will grow

Towards Stateful Serverless Sean Walsh @SeanWalshEsq We predict that Serverless Computing will grow to dominate the future of Cloud Computing. - Berkeley CS Department Cloud computing simplified: a Berkeley view on serverless computing

748 views • 40 slides
F AASM : Lightweight Isolation for Efficient Stateful Serverless Computing Simon Shillaker and

F AASM : Lightweight Isolation for Efficient Stateful Serverless Computing Simon Shillaker and

F AASM : Lightweight Isolation for Efficient Stateful Serverless Computing Simon Shillaker and Peter Pietzuch Large-scale Data and Systems Group, Imperial College London Serverless Big Data Vision Serverless functions Application Big data

431 views • 30 slides
Serverless Boom or Bust? An Analysis of Economic Incentives Xiayue Charles Lin, Joseph E.

Serverless Boom or Bust? An Analysis of Economic Incentives Xiayue Charles Lin, Joseph E.

Serverless Boom or Bust? An Analysis of Economic Incentives Xiayue Charles Lin, Joseph E. Gonzalez, Joseph M. Hellerstein UC Berkeley HotCloud 2020 Monday, July 13 An Economic Model for Serverless Serverless: pay for consumption instead of

160 views • 14 slides
cloudstate.io serverless 2.0 with cloudstate Sean Walsh | Field CTO and Cloud Evangelist @

cloudstate.io serverless 2.0 with cloudstate Sean Walsh | Field CTO and Cloud Evangelist @

cloudstate.io serverless 2.0 with cloudstate Sean Walsh | Field CTO and Cloud Evangelist @ Lightbend We predict that serverless computing will grow to dominate the future of cloud computing. Berkely CS Department why serverless 2.0?

701 views • 38 slides
Compressible viscoplastic models for granular flows Duc Nguyen 1 1 LAMA, Universit de

Compressible viscoplastic models for granular flows Duc Nguyen 1 1 LAMA, Universit de

Compressible viscoplastic models for granular flows Duc Nguyen 1 1 LAMA, Universit de Marne-la-Valle CEMRACS 2019 Marseille, August 14, 2019. Duc Nguyen CEMRACS 2019 1 / 13 Mathematical model stress tensor : matrix symmetric n n

258 views • 13 slides
GRAVITATIONAL WAVES DETECTORS Fulvio Ricci Dipartimento di Fisica, Universit di Roma Sapienza

GRAVITATIONAL WAVES DETECTORS Fulvio Ricci Dipartimento di Fisica, Universit di Roma Sapienza

GRAVITATIONAL WAVES DETECTORS Fulvio Ricci Dipartimento di Fisica, Universit di Roma Sapienza & INFN Sezione di Roma The Spectrum of Gravitational Waves Wave periods and Wavelength milliseconds --- tens [km] hours --- tens of

772 views • 63 slides
Proposal: the 2 nd Hyper-K detector in Korea Sunny (Seon-Hee) Seo Seoul

Proposal: the 2 nd Hyper-K detector in Korea Sunny (Seon-Hee) Seo Seoul

Proposal: the 2 nd Hyper-K detector in Korea Sunny (Seon-Hee) Seo Seoul Na/onal University 1 st T2HKK Workshop Nov. 21st 2016, Seoul The first 3 minutes of T2HKK March 20 th 2016,

550 views • 29 slides
CRCP Reinforcement CRCP Source: WSDOT Pavement Guide Interactive CD-ROM CRCP Reinforcement

CRCP Reinforcement CRCP Source: WSDOT Pavement Guide Interactive CD-ROM CRCP Reinforcement

CRCP Reinforcement CRCP Source: WSDOT Pavement Guide Interactive CD-ROM CRCP Reinforcement Design Variables Slab thickness, D (in) Slab width, W s (in) Modulus of subgrade reaction, k eff (psi/in) Design temperature drop, T d

349 views • 32 slides
Week 6 Video 3 Visualization Scatterplots Heat Maps Parameter Space Maps Scatterplots (Scatter

Week 6 Video 3 Visualization Scatterplots Heat Maps Parameter Space Maps Scatterplots (Scatter

Week 6 Video 3 Visualization Scatterplots Heat Maps Parameter Space Maps Scatterplots (Scatter Plots) A classic type of visualization 1.4 1.2 1 0.8 0.6 0.4 0.2 0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 Many say Always look at a

194 views • 15 slides
11 Fuzzy Rule-Based Models Fuzzy Systems Engineering Toward Human-Centric Computing Contents

11 Fuzzy Rule-Based Models Fuzzy Systems Engineering Toward Human-Centric Computing Contents

11 Fuzzy Rule-Based Models Fuzzy Systems Engineering Toward Human-Centric Computing Contents 11.1 Fuzzy rules as a vehicle of knowledge representation 11.2 General categories of fuzzy rules and their semantics 11.3 Syntax of fuzzy rules 11.4

1.62k views • 111 slides
Kokkos: Performance Portability and Photos placed in horizontal position with even amount

Kokkos: Performance Portability and Photos placed in horizontal position with even amount

Kokkos: Performance Portability and Photos placed in horizontal position with even amount Productivity for C++ Applications of white space between photos and header Performance Portability in Photos placed in horizontal Extreme Scale

265 views • 12 slides
Gastrointestinal Lymphomas EATL, MALT, and beyond Maria A. Pletneva, MD, PhD Lymphoma in GI tract

Gastrointestinal Lymphomas EATL, MALT, and beyond Maria A. Pletneva, MD, PhD Lymphoma in GI tract

Gastrointestinal Lymphomas EATL, MALT, and beyond Maria A. Pletneva, MD, PhD Lymphoma in GI tract Uncommon compared to GI epithelial neoplasms 20% of all lymphomas occur in the GI tract B cell lymphomas are far more common than T

693 views • 29 slides

More recommend