Serverless security - how to protect what you don't see?
0 likes256 views
The document discusses the impact of serverless architecture on development and operations, emphasizing the increased complexity and security challenges it introduces. It highlights the necessity for best practices in monitoring, scalability, and security posture, as well as the importance of using infrastructure as code. The author argues that serverless does not equate to no operations, but rather requires a different approach to operations with a focus on cloud security.
Serverless security - how to protect what you don't see?
- 2. Jean-Baptiste Aviat CTO & Co-founder Former (Red Team) Email: jb@sqreen.io Twitter: @jbaviat Podcast:
- 3. What is Serverless? And why is it different?
- 4. Business logic 100% written by developersDev Ops Code ⭐⭐⭐⭐⭐ Ops ⭐
- 5. Auth File upload Business service #1 Business service #2 Push service Async workers Dev Ops Code ⭐⭐⭐ Ops ⭐⭐⭐
- 7. Dev Ops Dev Dev Ops Micro services Monolithic applications Serverless More code Less code Dev and ops distance Ops
- 8. Ad-hoc usage: easier to deploy Dynamically configure cloud elements, transform data on the go, comply to cloud vendors requirements. Teams use it to circumvent processes / CI / deploy. Native serverless applications Build applications designed for serverless infrastructures.
- 9. How does serverless impacts security?
- 10. Dev Sec Ops Dev Sec Ops Dev Sec Ops Serverless forces bridging dev, sec & ops Monolithic app Microservices Serverless
- 11. What “serverless” means is moving too fast Edge serverless, ad-hoc, infra Scale is different (1 monolithic app → 5 micro services → 100 serverless functions) No tool allows to visualize all of your lambas at once (and the spreadsheet doesn’t work for this scale and pace!) The space didn’t reach maturity yet: ● No commonly accepted best practices, but a broad variety of best practices ● Evolving fast
- 13. Scaling challenges 🤯: ● Developers do 20 ⨉ more ops ● 1 microservice = 20 ⨉ functions ● 20 ⨉ vulnerable dependencies? ● 20 ⨉ ownership tracking? ● 20 ⨉ threat modeling? ● 20 ⨉ faster new function appearance? New challenges 🚨: ● No way to visualize deployments ● Best practices still change rapidly ● Entrypoints vary widely (HTTP? Queue? Stream? Database?) ● Higher coupling to the cloud provider requires high cloud security Solved challenges ✅: ● System updates (unless Docker based!) ● Network level security (mTLS, …) ⨉
- 14. Serverless security: what can we do?
- 15. Use infrastructure as code (Terraform, Cloud Formation, …) Shift your infrastructure left ● With serverless, a part of the business logic is handled by the infrastructure ● Serverless app developers own both the code and a part of the infrastructure Use principle of least privilege for your lambdas (but with reasonable granularity!) Monitor your costs (and be ready to block abuses) * Network, encryption, mutual authentication is mostly ensured by proper cloud services usage. But is much simpler than for microservices*
- 16. Keep best practices Injections Vulnerable dependencies Lack of monitoring AuthN / AuthZ issues OWASP top 10 Scalability & coherency Design strong functions frameworks (CI, deployment, logging frameworks, …) NEW
- 17. New functions appear and disappear at a highest rate than ever Leverage developer’s tools as much as possible to: ● Monitor security controls are applied ● Monitor the permissions used ● Ensure production doesn’t drift vs IaC IaC / Terraform make it easy to inspect IaC / Terraform allows to apply static control (and break CI if needed) Cloud APIs allow to dynamically list and inspect running containers
- 18. ● Maintain the OWASP top 10 ● Adopt a strong cloud security posture ● Generalize principle of least privilege ● Generalize IaC (Terraform, ...) ● Leverage cloud APIs to automate controls and monitoring ● Monitor serverless cost ● Ensure coherency amongst functions deployments OWASP top 10 Cloud security posture Serverless cost monitoring Unified deployments
- 19. Use Serverless framework or Terraform ● With safe, relevant examples ● Coupled with CI Provide relevant & safe code examples ● Using ORM / validation / log / … ● Coupled with CI Prepare provisioning for: ● A working deployment ● CI job to deploy & run linting / static analysers Document how to deploy secrets Git repositories best practices: ● Mandatory pull requests ● Require a CODEOWNERS file ● Lock master
- 20. Complexity shifts to the infrastructure Serverless = different kind of ops - not no ops! Some risks occur 20 times more ● Serverless shifts complexity from application code to the infrastructure. ● Serverless doesn’t mean no ops but: ● Different kind of ops are done by different personas ● Ops are much simpler compared to microservices (mTLS, peer to peer, etc.) ● Some security risks occur more (20 times more!), some new ones appear, and a few ones disappear. ● Cloud security takes a much more important stance. ● Scaling development practices (CI, CD, frameworks, BoM) becomes a requirement Cloud security is more important than ever Scaling best practices becomes a necessity
- 22. CSA - The 12 Most Critical Risks for Serverless Applications OWASP top 10 OWASP serverless top 10 Serverless framework Terraform, CloudFormation CODEOWNERS (Github, Gitlab) AppSec Builders podcast Or get in touch / ask me directly: Email: jb@sqreen.io Twitter: @jbaviat Podcast: