Bsides Seattle 2020

Serverless applications are the latest trend that is disrupting the world of microservices. Microservices enables developers to move faster with continuous delivery and deployment of large, enterprise applications. They offer loose coupling through modularity, scalability and fault isolation and resiliency from a security perspective. However, the resulting distributed systems are often complex with a large attack surface, making traditional security assessments difficult.  Tasks such as security design review, threat modeling, security code reviews and especially security testing becomes challenging due to the overall scope of feature deployment spanned across multiple services and domains and the speed at which these are deployed.  Therefore, if security is not baked into the design and architecture, the applications are suspectable to a variety of security attacks.
The main purpose of this presentation is to discuss the common security pitfalls associated with serverless application variable such as “Backend-as-a-Service” (BaaS) or “Functions-as-a-service” (FaaS). The talk will also cover discuss microservices architecture and design in order to analyze how certain aspects of security is achievable at scale through these patterns.

The target audience for this talk is security engineers, security architects, software development engineers and managers, and anyone who is involved in designing and deploying the end to end applications based on microservices oriented architecture. The attendees will walk away with a general understanding of security issues related to serverless applications and a framework to mitigate residual risk challenges through secure design patterns.