Serious attention is being paid to Serverless and Functions as a Service (FaaS), enough so to warrant some introspection from a security practitioner's perspective. This talk examines the shift from traditional security to cloud and serverless security models. Get prepared to see how security professionals can prepare for a business culture that encourages breaking down silos and democratizing security across the organization.
The idea of FaaS does not fundamentally differ from traditional cloud compute resources with
regards to the impacts of a successful attack. However, the risk directly imposed on the organization is heavily reduced and primarily focuses on development defined code and configurations.
In this talk we examine ...
As security practitioners we need to accept that learning some aspect of development is as important as understanding what an IP is.
First we’ll need to define, contextualize, and visualize the terminology from a security perspective:
- Agile to DevOps progression
- CI/CD
- Microservice
- Build Automation
- Containers
- Pipelines
- Abstract of SDLC pipeline
- Typical SDLC pipeline (FOSS)
- Security centric DevOps pipeline (FOSS/Service)
There’s a high likelihood that your organization is either considering or is currently adopting some aspect of the DevOps culture and possibly testing services on serverless types of technologies. What can you as either a practicing security professional or an interested stakeholder do to prepare for a business culture that encourages breaking down silos and democratizing security across the organization. One of the greatest benefits of all of this is the ubiquity of REST API’s and web services. Traditionally breaking into or practicing security required deep understanding of network level protocols, tools like Nmap, metasploit, etc.. DevOps can be viewed as operations getting a table at previously development driven conversations. The newest approach is DevSecOps, Rugged DevOps, InfraOps, or some other term we’ve yet to settle on in the industry. However, these terms are the best way of saying that security finally has a place at the table and many of us realize we weren’t all that prepared for it. What can you do to get prepared and how can you provide impact in an environment that never seems to stop changing.