Play all

Intro

What is Serverless? • Full abstraction of servers • Instant, scalable and event-driven • Pay-per-use . 'Cloud is an operating system Serverless is its native code!' (Erik Peterson, QCON)

Security benefits of Serverless • Servers are maintained by vendor . No server to be compromised? • 'Gone in 60 Milliseconds' - Rich Jones • Denial of Service is mitigated?

Attack Surface • App shattered across platform • Lot of complexity • Inner- and outer attack surface

Third Party Libraries • Simple Azure Function in C# - 10 lines . 50k lines for Azure Functions Host . 120k lines for Newtonsoft.JSON • Vulnerability found/published • Malicious/compromised package

Storing Secrets • Environment variables • Use platform vendor service . 'Secrets at Scale' - lan Haken of Netflix

Encryption of data • Protecting data in transit and at rest . Most vendors do 'transparent' encryption for data at rest. . Consider 'Client-Side Encryption' in transit

Least Privilege • Fit for purpose privileges • Review or audit them over time

Software Supply Chain • Automation is king! • Deployment as code • Separate different environments • Development

Conclusion • Easy to create! Hard to keep track! • Threat modelling . Compartmentalise • Monitoring and logging • Automate delivery and configuration

Description:

Explore serverless security and Functions-as-a-Service (FaaS) in this 34-minute OWASP Foundation talk by Niels Tanis. Delve into the security benefits and challenges of serverless architectures, including Azure Functions, AWS Lambda, and Google Cloud Functions. Learn about the reduced infrastructure management, increased resilience to DoS attacks, and potential vulnerabilities in serverless applications. Examine the complex architecture and attack surface of FaaS, software supply chain concerns, and the importance of patching for vulnerabilities. Discover key security areas to focus on when developing serverless applications, including third-party library management, secret storage, data encryption, least privilege principles, and software supply chain automation. Gain insights into threat modeling, monitoring, and logging for serverless environments, and understand the balance between ease of creation and complexity in maintaining secure serverless applications.

Serverless Security: Functions-as-a-Service (FaaS) - Challenges and Best Practices

OWASP Foundation

Add to list

#Programming #Cloud Computing #Serverless Computing #Amazon Web Services (AWS) #AWS Lambda #Microsoft Azure #Azure Functions #Cloud Security #Computer Science #DevOps #Secret Management

0:00 / 0:00