Why You Should Stop Caring About a Server That Isn’t Yours Anymore


Ops Perspective of servers




Developers perspective of servers


  • unconditional love
  • tasty steak
  • practical nutrition regardless of how bland it tastes

dont want

  • to clean the litter box
  • shovel cow shit
  • to have to mix a bunch of powders in a blender bottle

The meme in the previous slide

Really tied the analogy together

if you want...

  • OnDemand Computing Power
  • Scalable
  • Reasonable Entry Level Cost
  • Relatively Portable Code

stop giving a shit about...

  • How stupid the name serverless is
  • What people will think of you for adopting the latest trend
  • Vendor lock-in
  • The fear of the unknown


  • Of course there is still a server
  • You missed the container/kubernetes wagon
  • It's really cheap*
  • Vendor lock-in is terrible, but you're smart

So...embrace serverless!

because of course a computer is running your code you just have time/money to make that code even better!

What It Means When You Don’t Have to Worry About The Server

"The purpose of abstraction is not to be vague, but to create a new semantic level in which one can be absolutely precise" -  Edsger Dijkstra

layers of abstraction

  • OnPrem/Colocation
  • Infrastructure (aaS)
  • Containers (aaS)
  • Platform (aaS)
  • Functions (aaS)

how is serverless/faas unique?

  • No server management
  • Flexible scaling
  • High availability
  • No idle capacity, pay for what you use*​
  • *Unlogged and *free* background processes
  • *Temporal availability of CPU on invocation

serverless =

FaaS (event driven compute) + BaaS (managed data services)

Trading control for responsibility

so...security should pack it up?

notice what's missing?

source: snyk.io

Who’s Server is it Now?

IBM Cloud Functions

zeit.co - now


How To Just Let GO...

It's not a calculated risk if you are bad at math

Watch out he's got a github repo




  • No * actions allowed
  • $1k bounty fail
  • App Vuln => AWS Keys
  • AWS Keys != Game Over

What can I do with this AWS Keypair [blackbox]?

Understand the risks of serverless....

Step one

  • Get AWS Keys

Step two

  • Run some aws cli commands
  • aaws s3 Sync/LS/Rm/Cp
  • aws rds Describe/Create/Modify
  • aws dynamodb Scan/List/Query/Get
  • aws ses Send/Get/List
  • aws lambda Invoke/Update/List/Put
  • aws sts AssumeRole

aws Serverless Hacking

Caution using frameworks

your code doesn't just mean the code you wrote

mitigate the risks


It's talk like a pirate day!

  • Devlopers 'n testers o'er security specialists
  • Build security while we work, nah as an afterthought
  • Secure implementation o'er security features
  • Mitigate risks afore identifyin' more bugs

AppSec Pirate Manifesto


By Cody Sparky Wood