Serverless rocks the security boat. Ad hoc servers we don’t manage rid us of certain security concerns, whereas the proliferation of cheap microservices raises others. In this session, you’ll experience these security concerns live as a vulnerable serverless application is broken into and multiple weaknesses are exploited. You’ll leave the session with a better understanding of the mistakes you can make, their implications, and how you can avoid them.
|Simon Maple||Director of Developer Advocacy||Snyk|
|Developer Session||Containers, Serverless, and Cloud|
Serverless we just drop code and assume that it is elastic
His demo is done with spring functions. Spring functions uses spring boot underneath which makes serverless kind of a joke as spring boot actually embeds a …. server :-)
The amount of code you write yourself is tiny compared to what is deployed including dependencies. Hackers don’t care if you wrote it or someone else. So vulnerable dependencies are just as much a way in as your own code.
He uses aws for his demo and uses snyk.io to scan for vulnerable dependencies.
He demoes some vulnerabilities.
- beware of vulnerable libraries
- deployment granularity
- permissions granularity
- a function is a perimeter
- don’t rely on immutability
Good talk, but there is some Snyk promotion in there :-)