apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Serverless security: how to protect what you don't see?
Jean Baptiste Aviat, Co-founder and CTO at Sqreen.io
8. Ad-hoc usage: easier to deploy
Dynamically configure cloud elements, transform data on the go, comply to
cloud vendors requirements.
Teams use it to circumvent processes / CI / deploy.
Native serverless applications
Build applications designed for serverless infrastructures.
10. Dev Sec
Ops
Dev Sec
Ops
Dev Sec
Ops
Serverless forces bridging dev, sec & ops
Monolithic app Microservices Serverless
11. What “serverless” means is moving too fast
Edge serverless, ad-hoc, infra
Scale is different (1 monolithic app → 5 micro services → 100 serverless functions)
No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for
this scale and pace!)
The space didn’t reach maturity yet:
● No commonly accepted best practices, but a broad variety of best practices
● Evolving fast
15. Use infrastructure as code (Terraform, cloud formation, …)
Shift your infrastructure left
● With serverless, a part of the business logic is handled by the infrastructure
● Serverless app developers own both the code and a part of the infrastructure
Use principle of least privilege for your lambdas (but with reasonable granularity!)
Monitor your costs (and be ready to block abuses)
* Network, encryption, mutual authentication is
mostly ensured by proper cloud services usage.
But is much simpler than for microservices*
16. Keep best practices
Injections
Vulnerable dependencies
Lack of monitoring
AuthN / AuthZ issues
OWASP top 10
Scalability & coherency
Design strong functions
frameworks
(CI, deployment, logging
frameworks, …)
NEW
17. New functions appear and disappear at a highest rate than ever
Leverage developer’s tools as much as possible to:
● Monitor security controls are applied
● Monitor the permissions used
● Ensure production doesn’t drift vs IaC
IaC / Terraform make
it easy to inspect
IaC / Terraform allows to apply static
control (and break CI if needed)
Cloud APIs allow to dynamically list
and inspect running containers
18. ● Maintain the OWASP top 10
● Adopt a strong cloud security posture
● Generalize principle of least privilege
● Ensure serverless projects use IaC
(Terraform, CloudFormation, …)
● Leverage cloud APIs to automate
controls and monitoring
● Monitor serverless cost
● Ensure coherency amongst functions
deployments
OWASP top 10
Cloud security posture
Serverless cost monitoring
Unified deployments
19. Use Serverless framework or Terraform
● With safe, relevant examples
● Coupled with CI
Provide relevant & safe code examples
● Using ORM / validation / log / …
● Coupled with CI
Prepare provisioning for:
● A working deployment
● CI job to deploy & run linting / static analysers
Document how to deploy secrets
Git repositories best practices:
● Mandatory pull requests
● Require a CODEOWNERS file
● Lock master
20. Serverless shifts complexity from application code to the infrastructure.
Serverless doesn’t mean no ops but:
● Different kind of ops are done by different personas
● Ops are much simpler compared to micro services (mTLS, peer to peer, etc.)
Some security risks occur more (20 times!), some appear, and a few disappear.
Cloud security takes a much more important stance.
Scaling development practices (CI, CD, frameworks, BoM) becomes a requirement
21.
22. CSA - The 12 Most Critical Risks for
Serverless Applications
OWASP top 10
OWASP serverless top 10
Serverless framework
Terraform, CloudFormation
CODEOWNERS (Github, Gitlab)
AppSec Builders podcast
Or get in touch / ask me directly:
Email: jb@sqreen.io
Twitter: @jbaviat
Podcast: