Serverless Security: Functions-as-a-Service (FaaS) - Challenges and Best Practices

Serverless Security: Functions-as-a-Service (FaaS) - Challenges and Best Practices

OWASP Foundation via YouTube Direct link

Third Party Libraries • Simple Azure Function in C# - 10 lines . 50k lines for Azure Functions Host . 120k lines for Newtonsoft.JSON • Vulnerability found/published • Malicious/compromised package

5 of 10

5 of 10

Third Party Libraries • Simple Azure Function in C# - 10 lines . 50k lines for Azure Functions Host . 120k lines for Newtonsoft.JSON • Vulnerability found/published • Malicious/compromised package

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Serverless Security: Functions-as-a-Service (FaaS) - Challenges and Best Practices

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 What is Serverless? • Full abstraction of servers • Instant, scalable and event-driven • Pay-per-use . 'Cloud is an operating system Serverless is its native code!' (Erik Peterson, QCON)
  3. 3 Security benefits of Serverless • Servers are maintained by vendor . No server to be compromised? • 'Gone in 60 Milliseconds' - Rich Jones • Denial of Service is mitigated?
  4. 4 Attack Surface • App shattered across platform • Lot of complexity • Inner- and outer attack surface
  5. 5 Third Party Libraries • Simple Azure Function in C# - 10 lines . 50k lines for Azure Functions Host . 120k lines for Newtonsoft.JSON • Vulnerability found/published • Malicious/compromised package
  6. 6 Storing Secrets • Environment variables • Use platform vendor service . 'Secrets at Scale' - lan Haken of Netflix
  7. 7 Encryption of data • Protecting data in transit and at rest . Most vendors do 'transparent' encryption for data at rest. . Consider 'Client-Side Encryption' in transit
  8. 8 Least Privilege • Fit for purpose privileges • Review or audit them over time
  9. 9 Software Supply Chain • Automation is king! • Deployment as code • Separate different environments • Development
  10. 10 Conclusion • Easy to create! Hard to keep track! • Threat modelling . Compartmentalise • Monitoring and logging • Automate delivery and configuration

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.