, 14 tweets, 5 min read Read on Twitter
Next up: Serverless Security; your code, your responsibility by @orysegal #ServerlessDaysBOS
Ory is CTO of PURESEC, focused on serverless security - long history of working in security #ServerlessDaysBOS
In early days of serverless there was a "not your servers not your problem" mindset - this is not true #ServerlessDaysBOS
Must keep the shared model of responsibility in mind even when using serverless. #ServerlessDaysBOS
When using serverless, the shared responsibility model puts more on the vendor, so there's less that you as an app developer need to worry about. I.E. OS patching - they can patch in fewer than 24 hours, while many in-house take years #ServerlessDaysBOS
Attack surfaces in serverless - bad actors can inject to the event sources to push malicious data in; can deploy functions out of band (from bad credential/policy management); dependency poisoning (i.e. the npm package that had a bitcoin miner) #ServerlessDaysBOS
Also make sure to close your S3 bucket so the bad actor cannot compromise the data #ServerlessDaysBOS
Traditional security usually needs infrastructure to deploy it on, serverless needs it's own native tools since app devs no longer have control over the infrastructure #ServerlessDaysBOS
On serverless, your security is reduced to good coding and strict configuration #ServerlessDaysBOS
Need the lowest amount of privilege possible that lets your function run. This is hard - the IAM model is powerful but difficult to get right, and there's a human factor of people not knowing or wanting more permissions #ServerlessDaysBOS
Overprivileged roles are one of the main sources of insecurity in serverless #ServerlessDaysBOS
Getting permissions right - use a role-per-function model; use SAM managed policies; use tools to help limit roles #ServerlessDaysBOS
Fun examples of winning bounties of serverless security: one using unsecured s3 buckets, one exploiting a bad email parser #ServerlessDaysBOS
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Ann Guilinger
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!