Session Name: Serverless Security: Putting the Sec in DevSecOps for an AWS Lambda based system
What does it mean to implement zero-trust and DevSecOps principles in a serverless environment? This is our story of hardening an AWS application based on serverless architecture. It all began with an idea for a brand-new plugin for the Atlassian Jira Agile tool. Our plugin uses an innovative design based on GoLang, AWS Athena, Lambdas, and DynamoDB, and the Atlassian AtlasKit SDK for ReactJS. Serverless applications have many nice features that help make them secure. Lambdas get their credentials injected at runtime, eliminating the need to store keys or credentials. Our SSO solution improves security still further, by creating temporary credentials for every session, eliminating static keys and credentials. Given this excellent foundation, we thought our MVP was ready for production! Alas, how mistaken we were...
In order to meet Atlassian’s strict cybersecurity guidelines, we implemented security tools including GitHub’s dependabot, AWS credential management services, AWS app firewall, gosec, ZAP tester, and Nessus. We will discuss lessons learned and what was unique to the serverless environment. We will also cover privilege audits, data, and disaster recovery.
Using serverless architecture confers many benefits, and by reducing the attack surface, they can be inherently more secure than alternative architectures. Nevertheless, there are important steps that must be taken to further improve security. This talk will shed light on how to get where we need to be
Craeg Strong is the CTO of Ariel Partners, a small IT consulting company based in Times Square. He is currently teaching public classes in Kanban and Human Centered Design and helping organizations transform themselves by connecting strategy with execution, handling dependencies, and improving quality. He has 25 years of experience in information technology, starting at Project Athena during his undergraduate studies at MIT. Mr. Strong led a successful transformation of a major Federal Criminal justice program from a traditional waterfall lifecycle and manually intensive processes to lighter weight agile processes, full DevOps automation, and cloud.