Completed
Least Privilege • Fit for purpose privileges • Review or audit them over time
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Serverless Security: Functions-as-a-Service (FaaS) - Challenges and Best Practices
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 What is Serverless? • Full abstraction of servers • Instant, scalable and event-driven • Pay-per-use . 'Cloud is an operating system Serverless is its native code!' (Erik Peterson, QCON)
- 3 Security benefits of Serverless • Servers are maintained by vendor . No server to be compromised? • 'Gone in 60 Milliseconds' - Rich Jones • Denial of Service is mitigated?
- 4 Attack Surface • App shattered across platform • Lot of complexity • Inner- and outer attack surface
- 5 Third Party Libraries • Simple Azure Function in C# - 10 lines . 50k lines for Azure Functions Host . 120k lines for Newtonsoft.JSON • Vulnerability found/published • Malicious/compromised package
- 6 Storing Secrets • Environment variables • Use platform vendor service . 'Secrets at Scale' - lan Haken of Netflix
- 7 Encryption of data • Protecting data in transit and at rest . Most vendors do 'transparent' encryption for data at rest. . Consider 'Client-Side Encryption' in transit
- 8 Least Privilege • Fit for purpose privileges • Review or audit them over time
- 9 Software Supply Chain • Automation is king! • Deployment as code • Separate different environments • Development
- 10 Conclusion • Easy to create! Hard to keep track! • Threat modelling . Compartmentalise • Monitoring and logging • Automate delivery and configuration
