Serverless Security: New Risks Require New Approaches • Itay Rozenman • GOTO 202133:22 814 views 100% Published 5 months ago
This presentation was recorded at GOTO Copenhagen 2021. #GOTOcon #GOTOcph
Itay Rozenman - Senior director of engineering at Contrast Security
Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up the developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.
What are the new challenges that organisation now faces? In many organisations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces.
As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times. Fortunately, it does not have to be this way. Organisations can leverage robust security during serverless development [...]
01:06 Cloud native is the future of app development
01:37 Cloud native transformation has begun
02:09 More than a technology shift
04:09 Serverless architecture
05:03 What is serverless?
06:48 What about security?
07:42 Resource-based IAM
11:33 Loss of perimeter
12:43 Serverless risks
15:43 OWASP serverless top 10
21:48 Traditional AppSec testing for cloud native
22:55 Traditional testing in modern CI/CD pipelines
24:26 iRobot serverless app
25:17 SCA & image scanning
25:57 Infrastructure as code
27:57 AppSec testing, redefined for the cloud
29:20 Example use case
31:52 One DevSecOps platform
Download slides and read the full abstract here:
Aaron Parecki • OAuth 2.0 Simplified • https://amzn.to/2A3IMOf
Aaron Parecki • OAuth 2.0 Servers • https://amzn.to/3ecHEsz
Aaron Parecki • The Little Book of OAuth 2.0 RFCs • https://amzn.to/3i7qnlC
Erdal Ozkaya • Cybersecurity: The Beginner's Guide • https://amzn.to/2T6OIj3
Richer & Sanso • OAuth 2 in Action • https://amzn.to/3hXiAH6
Scott Patterson • Learn AWS Serverless Computing • https://amzn.to/3upsNnH
Peter Sbarski • Serverless Architectures on AWS • https://amzn.to/3HrhVZZ
Adzic & Korac • Running Serverless • https://amzn.to/3ytdF7o
#Serverless #Security #Programming #ContrastSecurity #CloudEssence #CiscoCloudlock #Cloudlock #CloudNative #Cloud #DigitalTransformation #ServerlessArchitecture #DevOps #DevSecOps #Lambda #LambdaFunction #AWS #OWASP
Looking for a unique learning experience?
Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech
SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.