Atul Ahire, McAfee
From a software development perspective, organizations adopting serverless architectures can focus on core product functionality, and completely disregard the underlying operating system, application server or software runtime environment. By developing applications using serverless architectures, you relieve yourself from the daunting task of constantly applying security patches for the underlying operating system and application servers these tasks are now the responsibility of the serverless architecture provider.
There is a lot going for serverless right now. There is a community forming around these designs. Major cloud service providers such as Amazon Web Services (AWS), Microsoft and Google are pushing the concept. Large enterprises are even jumping on board. Serverless is real, and it’s here now. And yet, serverless is no silver bullet from a security perspective. Analysis of over 1,000 open-source serverless applications revealed that 21% of them have critical vulnerabilities or were misconfigured, according to security researchers. They also cited that six percent had their sensitive data, such as application program interface (API) keys and credentials, stored in publicly accessible repositories.
I will be discussing how serverless changes security priorities and invest your security resources accordingly. We present best practices, process, and tools to mitigate the Security in Serverless Applications.
Key takeaways include:
- what is serverless architecture?
- What are the most prevalent security issues in serverless apps?
- What is the impact of these security issues?
- Understand how serverless changes security priorities, and invest your security resources accordingly.
- Best practices, processes, and tools to mitigate Security in a serverless application.
Atul Ahire, 2019 Technical Presentation, Paper