Why You Should Stop Caring About a Server That Isn’t Yours Anymore
Ops Perspective of servers
Developers perspective of servers
- unconditional love
- tasty steak
- practical nutrition regardless of how bland it tastes
- to clean the litter box
- shovel cow shit
- to have to mix a bunch of powders in a blender bottle
The meme in the previous slide
Really tied the analogy together
if you want...
- OnDemand Computing Power
- Reasonable Entry Level Cost
- Relatively Portable Code
stop giving a shit about...
- How stupid the name serverless is
- What people will think of you for adopting the latest trend
- Vendor lock-in
- The fear of the unknown
- Of course there is still a server
- You missed the container/kubernetes wagon
- It's really cheap*
- Vendor lock-in is terrible, but you're smart
because of course a computer is running your code you just have time/money to make that code even better!
What It Means When You Don’t Have to Worry About The Server
"The purpose of abstraction is not to be vague, but to create a new semantic level in which one can be absolutely precise" - Edsger Dijkstra
layers of abstraction
- Infrastructure (aaS)
- Containers (aaS)
- Platform (aaS)
- Functions (aaS)
how is serverless/faas unique?
- No server management
- Flexible scaling
- High availability
- No idle capacity, pay for what you use*
- *Unlogged and *free* background processes
- *Temporal availability of CPU on invocation
FaaS (event driven compute) + BaaS (managed data services)
Source: Nicolas Dao @neap.co
Trading control for responsibility
so...security should pack it up?
notice what's missing?
Who’s Server is it Now?
IBM Cloud Functions
zeit.co - now
How To Just Let GO...
It's not a calculated risk if you are bad at math
Watch out he's got a github repo
- No * actions allowed
- $1k bounty fail
- App Vuln => AWS Keys
- AWS Keys != Game Over
What can I do with this AWS Keypair [blackbox]?
Understand the risks of serverless....
- Get AWS Keys
- Run some aws cli commands
- aaws s3 Sync/LS/Rm/Cp
- aws rds Describe/Create/Modify
- aws dynamodb Scan/List/Query/Get
- aws ses Send/Get/List
- aws lambda Invoke/Update/List/Put
- aws sts AssumeRole
aws Serverless Hacking
Caution using frameworks
your code doesn't just mean the code you wrote
mitigate the risks
It's talk like a pirate day!
- Devlopers 'n testers o'er security specialists
- Build security while we work, nah as an afterthought
- Secure implementation o'er security features
- Mitigate risks afore identifyin' more bugs
AppSec Pirate Manifesto
By Cody Sparky Wood