Securing Serverless--By Breaking In

Session abstract

Serverless rocks the security boat. Ad hoc servers we don’t manage rid us of certain security concerns, whereas the proliferation of cheap microservices raises others. In this session, you’ll experience these security concerns live as a vulnerable serverless application is broken into and multiple weaknesses are exploited. You’ll leave the session with a better understanding of the mistakes you can make, their implications, and how you can avoid them.


Name Title Company
Simon Maple Director of Developer Advocacy Snyk

Session Info

Session type Track
Developer Session Containers, Serverless, and Cloud

My Notes

Serverless we just drop code and assume that it is elastic

His demo is done with spring functions. Spring functions uses spring boot underneath which makes serverless kind of a joke as spring boot actually embeds a …. server :-)

The amount of code you write yourself is tiny compared to what is deployed including dependencies. Hackers don’t care if you wrote it or someone else. So vulnerable dependencies are just as much a way in as your own code.

He uses aws for his demo and uses to scan for vulnerable dependencies.

He demoes some vulnerabilities.

  • beware of vulnerable libraries
  • deployment granularity
  • permissions granularity
  • a function is a perimeter
  • don’t rely on immutability

Good talk, but there is some Snyk promotion in there :-)