SlideShare a Scribd company logo

Securing Serverless - By Breaking In

Guy Podjarny, profile picture
Guy Podjarny

This document presents a summary of a talk by Guy Podjarny on securing serverless applications, highlighting key security flaws and mitigation strategies. It outlines seven main points, including the importance of avoiding vulnerable libraries, managing secrets properly, and using granular permissions to enhance security. The document also emphasizes the need to build security measures into serverless architecture proactively.

Technology
1 of 31
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
snyk.io Securing Serverless - 
 By Breaking In Guy Podjarny, Snyk @guypod
snyk.io About Me • Guy Podjarny, @guypod on Twitter • CEO & Co-founder at Snyk • History: • Cyber Security part of Israel Defense Forces • First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan) • Security: Worked in Sanctum -> Watchfire -> IBM • Performance: Founded Blaze -> CTO @Akamai • O’Reilly author, speaker
snyk.io Serverless Security: The Theory
 (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security
snyk.io Today - straight to practice!
snyk.io Agenda • Show a demo serverless app • Hack it • Explain the security flaws and how to fix them • Summary • Q&A
snyk.io Introducing our app…
snyk.io Vulnerable Libraries
snyk.io Example: Fetch file & store in s3 (Serverless Framework Example) 19 Lines of Code 2 Direct dependencies 19 dependencies(incl. indirect) 191,155 Lines of Code
snyk.io
snyk.io Serverless does secure
 OS dependencies Just not app dependencies
snyk.io 1. Beware Vulnerable Libraries
 (test during dev, monitor over time)
snyk.io Side Note:
 Snyk isn’t only for Serverless
snyk.io Denial of Service
snyk.io 2. ReDoS can still be costly
 (won’t take you down, but can hike up bill)
snyk.io Beware
 Resource Exhaustion Attacks Not all your services elastically scale
snyk.io Secrets
snyk.io 3. Avoid secrets in deployed code
 (env variables aren’t enough - Use a KMS!)
snyk.io Serverless platforms offer a
 Key Management System Just use it!
snyk.io Granularity
snyk.io 4. Deploy granular functions
 (shared function code = greater exposure)
snyk.io AWS Security Policy Easier Policy 3Policy 2 Policy 1 Safer
snyk.io Permissions
snyk.io 5. Use Granular Policies
 (only allow each function its minimum permissions)
snyk.io A function is a perimeter That needs to be secured Perimeter Perimeter Perimeter Perimeter Perimeter
snyk.io Immutability
snyk.io 6. Don’t rely on immutability
 (Lambda - and others - reuse servers)
snyk.io Serverless user is typically
 Low Privilege Reducing impact substantially, but not eliminating it
snyk.io 7. Worry about all functions
 (Every available function increases your attack surface)
snyk.io Summary 1. Beware vulnerable libraries 2. ReDoS can still be costly 3. Avoid secrets in deployed code 4. Deploy granular functions 5. Use Granular Permissions 6. Don’t rely on immutability 7. Worry about all functions
snyk.io Serverless Security: The Theory
 (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security
snyk.io Serverless is defined now.
 Let’s build Security in. Thank You! Guy Podjarny, Snyk @guypod

More Related Content

PDF
Serverless Security: What's Left To Protect
Guy Podjarny
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
PPTX
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
PDF
Dev seccon london 2016 intelliment security
DevSecCon
 
PPTX
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
PDF
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Serverless Security: What's Left To Protect
Guy Podjarny
 
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
Dev seccon london 2016 intelliment security
DevSecCon
 
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 

What's hot (20)

PDF
Why should developers care about container security?
Eric Smalling
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PDF
Henrique Dantas - API fuzzing using Swagger
DevSecCon
 
PPTX
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
PPTX
Lacework | Top 10 Cloud Security Threats
Lacework
 
PPTX
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
PDF
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
PPTX
AllDayDevOps 2019 AppSensor
jtmelton
 
PDF
All Your Containers Are Belong To Us
Lacework
 
PPTX
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
PDF
Hacking into your containers, and how to stop it!
Eric Smalling
 
PDF
Secure Your Code Implement DevSecOps in Azure
kloia
 
PDF
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework
 
PPTX
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
PDF
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Why should developers care about container security?
Eric Smalling
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Henrique Dantas - API fuzzing using Swagger
DevSecCon
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
Lacework | Top 10 Cloud Security Threats
Lacework
 
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
AllDayDevOps 2019 AppSensor
jtmelton
 
All Your Containers Are Belong To Us
Lacework
 
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
DevSecOps | DevOps Sec
Rubal Jain
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
Hacking into your containers, and how to stop it!
Eric Smalling
 
Secure Your Code Implement DevSecOps in Azure
kloia
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
DevSecOps in Baby Steps
Priyanka Aash
 
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Ad

Similar to Securing Serverless - By Breaking In (20)

PDF
Securing Serverless by Breaking in
C4Media
 
PDF
Serverless Security: What's Left to Protect?
Guy Podjarny
 
PDF
Guy Podjarmy - Secure Node Code
DevSecCon
 
PDF
Stranger Danger: Securing Third Party Components (Tech2020)
Guy Podjarny
 
PDF
Securing serverless system
NUS-ISS
 
PPTX
Securing Serverless Systems
Vincent Lau
 
PPTX
OWASP Serverless Top 10
Chandrapal Badshah
 
PDF
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
AWSCOMSUM
 
PDF
Security in serverless world
Yan Cui
 
PDF
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays
 
PDF
DevSecCon London 2018: Security in the serverless world
DevSecCon
 
PDF
Security in serverless world
Yan Cui
 
PDF
Security in Serverless world
Yan Cui
 
PDF
Serverless Security: Defence Against the Dark Arts
Yan Cui
 
PDF
Security in serverless world (get.net)
Yan Cui
 
PDF
Security in serverless world
Yan Cui
 
PDF
stackconf 2021 | Continuous Security – integrating security into your pipelines
NETWAYS
 
PDF
Serverless security: defence against the dark arts
Yan Cui
 
PDF
Stranger Danger (NodeSummit, 2016)
Guy Podjarny
 
PDF
Serverless security: defense against the dark arts
Yan Cui
 
Securing Serverless by Breaking in
C4Media
 
Serverless Security: What's Left to Protect?
Guy Podjarny
 
Guy Podjarmy - Secure Node Code
DevSecCon
 
Stranger Danger: Securing Third Party Components (Tech2020)
Guy Podjarny
 
Securing serverless system
NUS-ISS
 
Securing Serverless Systems
Vincent Lau
 
OWASP Serverless Top 10
Chandrapal Badshah
 
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
AWSCOMSUM
 
Security in serverless world
Yan Cui
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays
 
DevSecCon London 2018: Security in the serverless world
DevSecCon
 
Security in serverless world
Yan Cui
 
Security in Serverless world
Yan Cui
 
Serverless Security: Defence Against the Dark Arts
Yan Cui
 
Security in serverless world (get.net)
Yan Cui
 
Security in serverless world
Yan Cui
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
NETWAYS
 
Serverless security: defence against the dark arts
Yan Cui
 
Stranger Danger (NodeSummit, 2016)
Guy Podjarny
 
Serverless security: defense against the dark arts
Yan Cui
 
Ad

More from Guy Podjarny (18)

PDF
Secure Node Code (workshop, O'Reilly Security)
Guy Podjarny
 
PDF
High Performance Images: Beautiful Shouldn't Mean Slow (Velocity EU 2015)
Guy Podjarny
 
PDF
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
Guy Podjarny
 
PDF
High Performance Images: Beautiful Shouldn't Mean Slow
Guy Podjarny
 
PDF
Responsive In The Wild, 2014
Guy Podjarny
 
PPTX
Third Party Performance (Velocity, 2014)
Guy Podjarny
 
PPTX
Rules driven-delivery
Guy Podjarny
 
PPTX
Responsive In The Wild (SmashingConf, 2014)
Guy Podjarny
 
PPTX
Putting Your Images on a Diet (SmashingConf, 2014)
Guy Podjarny
 
PPTX
Third party-performance (Airbnb Nerds, Nov 2013)
Guy Podjarny
 
PPTX
Third Party Performance
Guy Podjarny
 
PDF
A Picture Costs A Thousand Words
Guy Podjarny
 
PPTX
Step by Step Mobile Optimization
Guy Podjarny
 
PPTX
Quantifying The Mobile Difference
Guy Podjarny
 
PPTX
Performance Implications of Mobile Design (Perf Audience Edition)
Guy Podjarny
 
PPTX
Performance Implications of Mobile Design
Guy Podjarny
 
PDF
Unravelling Mobile Web Performance
Guy Podjarny
 
PPTX
State Of Mobile Web Performance
Guy Podjarny
 
Secure Node Code (workshop, O'Reilly Security)
Guy Podjarny
 
High Performance Images: Beautiful Shouldn't Mean Slow (Velocity EU 2015)
Guy Podjarny
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
Guy Podjarny
 
High Performance Images: Beautiful Shouldn't Mean Slow
Guy Podjarny
 
Responsive In The Wild, 2014
Guy Podjarny
 
Third Party Performance (Velocity, 2014)
Guy Podjarny
 
Rules driven-delivery
Guy Podjarny
 
Responsive In The Wild (SmashingConf, 2014)
Guy Podjarny
 
Putting Your Images on a Diet (SmashingConf, 2014)
Guy Podjarny
 
Third party-performance (Airbnb Nerds, Nov 2013)
Guy Podjarny
 
Third Party Performance
Guy Podjarny
 
A Picture Costs A Thousand Words
Guy Podjarny
 
Step by Step Mobile Optimization
Guy Podjarny
 
Quantifying The Mobile Difference
Guy Podjarny
 
Performance Implications of Mobile Design (Perf Audience Edition)
Guy Podjarny
 
Performance Implications of Mobile Design
Guy Podjarny
 
Unravelling Mobile Web Performance
Guy Podjarny
 
State Of Mobile Web Performance
Guy Podjarny
 

Recently uploaded (20)

PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
A Presentation on Artificial Intelligence
memembruh336
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 

Securing Serverless - By Breaking In