Serverless Security: A Practitioners Guide

What’s NOT news is that Serverless (or ‘OS’less) technology is rapidly expanding. Product architecture and engineering are predominantly rooting for serverless adoption due to the underlying abstraction that the technology provides enabling them to focus on writing code without having to worry about all the necessary techOps layer beneath the code. This also allows them to integrate cloud apps with lower cost and operational efficiency. However, as with the adoption of any lucrative technology, comes its fair share of “ifs and buts” of security considerations. Like any developer driven technology (i.e. containers and VMs), securing serverless is critical. In addition to fundamental visibility and control gaps, securing serverless deployments requires newer approaches and techniques as compared to traditional application stacks. Ironically, the advantages realized by transferring responsibility of scalable and high performing infrastructures to Amazon, Google, Microsoft, etc., results in an equal responsibility of code security. Specifically, the integrity and assurance of the code, identities of the code and developers, permissioning, and serverless configuration, including network connectivity. In this webinar, we take a closer look at the OWASP Serverless Top 10 project- a practical guide that baselines the OWASP Top 10 in serverless deployments. The project introduces developers and security practitioners to the most common attack surfaces that serverless applications are susceptible to. We love being hands-on, and will therefore also demonstrate the following vulnerabilities for a more in-depth and practical understanding. •Functional Data Event Injection •XML Entities and Deserialization Attacks •ReDoS Attack Key Takeaways 1.Areas of security concerns in serverless deployments 2.Potential attack surfaces of typical serverless applications 3.The OWASP Serverless Top 10 4.Practical Attack Demonstrations