SlideShare uma empresa Scribd logo

apidays LIVE Paris - Serverless security: how to protect what you don't see? by Jean Baptiste Aviat

apidays
apidays

apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society December 8, 9 & 10, 2020 Serverless security: how to protect what you don't see? Jean Baptiste Aviat, Co-founder and CTO at Sqreen.io

Tecnologia
1 de 28
Baixar para ler offline
Jean-Baptiste Aviat CTO & Co-founder Former (Red Team) Email: jb@sqreen.io Twitter: @jbaviat Podcast:
What is Serverless? And why is it different?
Business logic 100% written by developersDev Ops Code ⭐⭐⭐⭐⭐ Ops ⭐
Auth File upload Business service #1 Business service #2 Push service Async workers Dev Ops Code ⭐⭐⭐ Ops ⭐⭐⭐
Dev Ops Code ⭐ Ops ⭐⭐⭐
Dev Ops Dev Dev Ops Micro services Monolithic applications Serverless More code Less code Dev and ops distance Ops
Ad-hoc usage: easier to deploy Dynamically configure cloud elements, transform data on the go, comply to cloud vendors requirements. Teams use it to circumvent processes / CI / deploy. Native serverless applications Build applications designed for serverless infrastructures.
How does serverless impacts security?
Dev Sec Ops Dev Sec Ops Dev Sec Ops Serverless forces bridging dev, sec & ops Monolithic app Microservices Serverless
What “serverless” means is moving too fast Edge serverless, ad-hoc, infra Scale is different (1 monolithic app → 5 micro services → 100 serverless functions) No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for this scale and pace!) The space didn’t reach maturity yet: ● No commonly accepted best practices, but a broad variety of best practices ● Evolving fast
Monitoring Protection ❌ ❌
New challenges 🚨: ● No way to visualize deployments ● Best practices still change rapidly ● Entrypoints vary widely (HTTP? Queue? Stream? Database?) ● Higher coupling to the cloud provider requires high cloud security Solved challenges ✅: ● System updates (unless Docker based!) ● Network level security (mTLS, …) Scaling challenges 🤯: ● Developers do 20 ⨉ more ops ● 1 microservice = 20 ⨉ functions ● 20 ⨉ vulnerable dependencies? ● 20 ⨉ ownership tracking? ● 20 ⨉ threat modeling? ● 20 ⨉ faster new function appearance? ⨉
Serverless security: what can we do?
Use infrastructure as code (Terraform, cloud formation, …) Shift your infrastructure left ● With serverless, a part of the business logic is handled by the infrastructure ● Serverless app developers own both the code and a part of the infrastructure Use principle of least privilege for your lambdas (but with reasonable granularity!) Monitor your costs (and be ready to block abuses) * Network, encryption, mutual authentication is mostly ensured by proper cloud services usage. But is much simpler than for microservices*
Keep best practices Injections Vulnerable dependencies Lack of monitoring AuthN / AuthZ issues OWASP top 10 Scalability & coherency Design strong functions frameworks (CI, deployment, logging frameworks, …) NEW
New functions appear and disappear at a highest rate than ever Leverage developer’s tools as much as possible to: ● Monitor security controls are applied ● Monitor the permissions used ● Ensure production doesn’t drift vs IaC IaC / Terraform make it easy to inspect IaC / Terraform allows to apply static control (and break CI if needed) Cloud APIs allow to dynamically list and inspect running containers
● Maintain the OWASP top 10 ● Adopt a strong cloud security posture ● Generalize principle of least privilege ● Ensure serverless projects use IaC (Terraform, CloudFormation, …) ● Leverage cloud APIs to automate controls and monitoring ● Monitor serverless cost ● Ensure coherency amongst functions deployments OWASP top 10 Cloud security posture Serverless cost monitoring Unified deployments
Use Serverless framework or Terraform ● With safe, relevant examples ● Coupled with CI Provide relevant & safe code examples ● Using ORM / validation / log / … ● Coupled with CI Prepare provisioning for: ● A working deployment ● CI job to deploy & run linting / static analysers Document how to deploy secrets Git repositories best practices: ● Mandatory pull requests ● Require a CODEOWNERS file ● Lock master
Serverless shifts complexity from application code to the infrastructure. Serverless doesn’t mean no ops but: ● Different kind of ops are done by different personas ● Ops are much simpler compared to micro services (mTLS, peer to peer, etc.) Some security risks occur more (20 times!), some appear, and a few disappear. Cloud security takes a much more important stance. Scaling development practices (CI, CD, frameworks, BoM) becomes a requirement
CSA - The 12 Most Critical Risks for Serverless Applications OWASP top 10 OWASP serverless top 10 Serverless framework Terraform, CloudFormation CODEOWNERS (Github, Gitlab) AppSec Builders podcast Or get in touch / ask me directly: Email: jb@sqreen.io Twitter: @jbaviat Podcast:
Credits to Theodo Credits to Marcin Credits to https://twitter.com/alex_frantic?lang=en Podcast
Serverless is changing fast
Future More edge More glue 2016 Google Cloud Functions Azure Functions IBM Cloud Functions AWS Lambda @Edge 2014 AWS Lambda 2017 Cloudflare workers 2008 Google App Engine 2019 Fastly Edge workers 2020 Netlify functions
“ we are discovering new services, tools and patterns weekly ” Source: any serverless specialist.
Easier & faster to deploy Move from “your code does it all” towards “your code does the business logic, your Cloud Provider is the glue”

Recomendados

apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays
 
A Starters Guide to Building APIs with Javascript
A Starters Guide to Building APIs with JavascriptA Starters Guide to Building APIs with Javascript
A Starters Guide to Building APIs with JavascriptAll Things Open
 
Modernize applications and reduce TCO with Windows containers on Azure Servic...
Modernize applications and reduce TCO with Windows containers on Azure Servic...Modernize applications and reduce TCO with Windows containers on Azure Servic...
Modernize applications and reduce TCO with Windows containers on Azure Servic...Microsoft Tech Community
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...Michael Kuehne-Schlinkert
 
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonI Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonApigee | Google Cloud
 

Recomendados

apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays
 
A Starters Guide to Building APIs with Javascript
A Starters Guide to Building APIs with JavascriptA Starters Guide to Building APIs with Javascript
A Starters Guide to Building APIs with JavascriptAll Things Open
 
Modernize applications and reduce TCO with Windows containers on Azure Servic...
Modernize applications and reduce TCO with Windows containers on Azure Servic...Modernize applications and reduce TCO with Windows containers on Azure Servic...
Modernize applications and reduce TCO with Windows containers on Azure Servic...Microsoft Tech Community
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...Michael Kuehne-Schlinkert
 
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonI Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonApigee | Google Cloud
 
Tools for designing and building great APIs
Tools for designing and building great APIsTools for designing and building great APIs
Tools for designing and building great APIsKong Inc.
 
Engineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @NetflixEngineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @NetflixSangeeta Narayanan
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOpsAarno Aukia
 
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...Tom Kerkhove
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Apigee | Google Cloud
 
Building Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIsBuilding Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIsPostman
 
Everybody loves Swagger
Everybody loves SwaggerEverybody loves Swagger
Everybody loves SwaggerBizTalk360
 
Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCSA Argentina
 
Full Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AIFull Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AIDynatrace
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSApigee | Google Cloud
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
Api gateway
Api gatewayApi gateway
Api gatewayenyert
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?James Wickett
 
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays
 
Csa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environmentsCsa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environmentsCSA Argentina
 
The Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t CaughtThe Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t CaughtNordic APIs
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...WSO2
 
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIsI Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIsApigee | Google Cloud
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 

Mais conteúdo relacionado

Mais procurados

Tools for designing and building great APIs
Tools for designing and building great APIsTools for designing and building great APIs
Tools for designing and building great APIsKong Inc.
 
Engineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @NetflixEngineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @NetflixSangeeta Narayanan
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOpsAarno Aukia
 
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...Tom Kerkhove
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Apigee | Google Cloud
 
Building Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIsBuilding Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIsPostman
 
Everybody loves Swagger
Everybody loves SwaggerEverybody loves Swagger
Everybody loves SwaggerBizTalk360
 
Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCSA Argentina
 
Full Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AIFull Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AIDynatrace
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSApigee | Google Cloud
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
Api gateway
Api gatewayApi gateway
Api gatewayenyert
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?James Wickett
 
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays
 
Csa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environmentsCsa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environmentsCSA Argentina
 
The Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t CaughtThe Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t CaughtNordic APIs
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...WSO2
 
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIsI Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIsApigee | Google Cloud
 

Mais procurados (20)

Tools for designing and building great APIs
Tools for designing and building great APIsTools for designing and building great APIs
Tools for designing and building great APIs
 
Engineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @NetflixEngineering Manager, Edge Insights @Netflix
Engineering Manager, Edge Insights @Netflix
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
 
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge
 
Building Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIsBuilding Cloud-agnostic Serverless APIs
Building Cloud-agnostic Serverless APIs
 
Everybody loves Swagger
Everybody loves SwaggerEverybody loves Swagger
Everybody loves Swagger
 
Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nube
 
Full Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AIFull Stack Application Monitoring for AWS Powered by AI
Full Stack Application Monitoring for AWS Powered by AI
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaS
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
 
Api gateway
Api gatewayApi gateway
Api gateway
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
 
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
 
Csa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environmentsCsa Summit 2017 - Managing multicloud environments
Csa Summit 2017 - Managing multicloud environments
 
The Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t CaughtThe Most Common Errors That Aren’t Caught
The Most Common Errors That Aren’t Caught
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
 
[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...[apidays Live Australia] How do you enhance customer experience through event...
[apidays Live Australia] How do you enhance customer experience through event...
 
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIsI Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
I Love APIs 2015: The Mobile Screen Factor - At the Glass Integration with APIs
 

Semelhante a apidays LIVE Paris - Serverless security: how to protect what you don't see? by Jean Baptiste Aviat

Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Automated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshAutomated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshCodefresh
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Measures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentFibonalabs
 
What serverless means for enterprise apps
What serverless means for enterprise appsWhat serverless means for enterprise apps
What serverless means for enterprise appsSumit Sarkar
 
Serverless 101 in Montreal
Serverless 101 in MontrealServerless 101 in Montreal
Serverless 101 in MontrealAaron Williams
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolithMarkus Eisele
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolithMarkus Eisele
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
Securing serverless system
Securing serverless systemSecuring serverless system
Securing serverless systemNUS-ISS
 
Securing Serverless Systems
Securing Serverless SystemsSecuring Serverless Systems
Securing Serverless SystemsVincent Lau
 
Accelerate your Application Delivery with DevOps and Microservices
Accelerate your Application Delivery with DevOps and MicroservicesAccelerate your Application Delivery with DevOps and Microservices
Accelerate your Application Delivery with DevOps and MicroservicesAmazon Web Services
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupPreparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupYashrajNayak4
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsStephane Woillez
 
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...apidays
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 

Semelhante a apidays LIVE Paris - Serverless security: how to protect what you don't see? by Jean Baptiste Aviat (20)

Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Automated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshAutomated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on Codefresh
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Measures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environment
 
What serverless means for enterprise apps
What serverless means for enterprise appsWhat serverless means for enterprise apps
What serverless means for enterprise apps
 
Serverless 101 in Montreal
Serverless 101 in MontrealServerless 101 in Montreal
Serverless 101 in Montreal
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Enterprise serverless
Enterprise serverlessEnterprise serverless
Enterprise serverless
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolith
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolith
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
Securing serverless system
Securing serverless systemSecuring serverless system
Securing serverless system
 
Securing Serverless Systems
Securing Serverless SystemsSecuring Serverless Systems
Securing Serverless Systems
 
Accelerate your Application Delivery with DevOps and Microservices
Accelerate your Application Delivery with DevOps and MicroservicesAccelerate your Application Delivery with DevOps and Microservices
Accelerate your Application Delivery with DevOps and Microservices
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupPreparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and Operations
 
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
APIdays Paris 2018 - Will Serverless kill Containers and Operations? Stéphane...
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 

Mais de apidays

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...apidays
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOapidays
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...apidays
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...apidays
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...apidays
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...apidays
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...apidays
 

Mais de apidays (20)

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
 

Último

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Último (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

apidays LIVE Paris - Serverless security: how to protect what you don't see? by Jean Baptiste Aviat

  • 1.
  • 2. Jean-Baptiste Aviat CTO & Co-founder Former (Red Team) Email: jb@sqreen.io Twitter: @jbaviat Podcast:
  • 3. What is Serverless? And why is it different?
  • 4. Business logic 100% written by developersDev Ops Code ⭐⭐⭐⭐⭐ Ops ⭐
  • 5. Auth File upload Business service #1 Business service #2 Push service Async workers Dev Ops Code ⭐⭐⭐ Ops ⭐⭐⭐
  • 8. Ad-hoc usage: easier to deploy Dynamically configure cloud elements, transform data on the go, comply to cloud vendors requirements. Teams use it to circumvent processes / CI / deploy. Native serverless applications Build applications designed for serverless infrastructures.
  • 9. How does serverless impacts security?
  • 10. Dev Sec Ops Dev Sec Ops Dev Sec Ops Serverless forces bridging dev, sec & ops Monolithic app Microservices Serverless
  • 11. What “serverless” means is moving too fast Edge serverless, ad-hoc, infra Scale is different (1 monolithic app → 5 micro services → 100 serverless functions) No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for this scale and pace!) The space didn’t reach maturity yet: ● No commonly accepted best practices, but a broad variety of best practices ● Evolving fast
  • 13. New challenges 🚨: ● No way to visualize deployments ● Best practices still change rapidly ● Entrypoints vary widely (HTTP? Queue? Stream? Database?) ● Higher coupling to the cloud provider requires high cloud security Solved challenges ✅: ● System updates (unless Docker based!) ● Network level security (mTLS, …) Scaling challenges 🤯: ● Developers do 20 ⨉ more ops ● 1 microservice = 20 ⨉ functions ● 20 ⨉ vulnerable dependencies? ● 20 ⨉ ownership tracking? ● 20 ⨉ threat modeling? ● 20 ⨉ faster new function appearance? ⨉
  • 15. Use infrastructure as code (Terraform, cloud formation, …) Shift your infrastructure left ● With serverless, a part of the business logic is handled by the infrastructure ● Serverless app developers own both the code and a part of the infrastructure Use principle of least privilege for your lambdas (but with reasonable granularity!) Monitor your costs (and be ready to block abuses) * Network, encryption, mutual authentication is mostly ensured by proper cloud services usage. But is much simpler than for microservices*
  • 16. Keep best practices Injections Vulnerable dependencies Lack of monitoring AuthN / AuthZ issues OWASP top 10 Scalability & coherency Design strong functions frameworks (CI, deployment, logging frameworks, …) NEW
  • 17. New functions appear and disappear at a highest rate than ever Leverage developer’s tools as much as possible to: ● Monitor security controls are applied ● Monitor the permissions used ● Ensure production doesn’t drift vs IaC IaC / Terraform make it easy to inspect IaC / Terraform allows to apply static control (and break CI if needed) Cloud APIs allow to dynamically list and inspect running containers
  • 18. ● Maintain the OWASP top 10 ● Adopt a strong cloud security posture ● Generalize principle of least privilege ● Ensure serverless projects use IaC (Terraform, CloudFormation, …) ● Leverage cloud APIs to automate controls and monitoring ● Monitor serverless cost ● Ensure coherency amongst functions deployments OWASP top 10 Cloud security posture Serverless cost monitoring Unified deployments
  • 19. Use Serverless framework or Terraform ● With safe, relevant examples ● Coupled with CI Provide relevant & safe code examples ● Using ORM / validation / log / … ● Coupled with CI Prepare provisioning for: ● A working deployment ● CI job to deploy & run linting / static analysers Document how to deploy secrets Git repositories best practices: ● Mandatory pull requests ● Require a CODEOWNERS file ● Lock master
  • 20. Serverless shifts complexity from application code to the infrastructure. Serverless doesn’t mean no ops but: ● Different kind of ops are done by different personas ● Ops are much simpler compared to micro services (mTLS, peer to peer, etc.) Some security risks occur more (20 times!), some appear, and a few disappear. Cloud security takes a much more important stance. Scaling development practices (CI, CD, frameworks, BoM) becomes a requirement
  • 21.
  • 22. CSA - The 12 Most Critical Risks for Serverless Applications OWASP top 10 OWASP serverless top 10 Serverless framework Terraform, CloudFormation CODEOWNERS (Github, Gitlab) AppSec Builders podcast Or get in touch / ask me directly: Email: jb@sqreen.io Twitter: @jbaviat Podcast:
  • 23.
  • 24. Credits to Theodo Credits to Marcin Credits to https://twitter.com/alex_frantic?lang=en Podcast
  • 26. Future More edge More glue 2016 Google Cloud Functions Azure Functions IBM Cloud Functions AWS Lambda @Edge 2014 AWS Lambda 2017 Cloudflare workers 2008 Google App Engine 2019 Fastly Edge workers 2020 Netlify functions
  • 27. “ we are discovering new services, tools and patterns weekly ” Source: any serverless specialist.
  • 28. Easier & faster to deploy Move from “your code does it all” towards “your code does the business logic, your Cloud Provider is the glue”