PODCAST: Is Serverless Application Security Really Appsec or New Techniques
As cloud-native services gain popularity, an inevitable debate around the security of such applications grows bigger. One of the initial questions when it comes to cloud-native and serverless application security is whether it is actually different to application security, or is it simply presenting new techniques to better fit serverless and cloud-native threats. To answer this question and more, we got Hillel Solow, CTO & Co-Founder here at Protego and Eoin Shanaghy, CTO of fourTheorem to discuss all the latest topics in cloud-native and serverless.
Understanding Cloud-Native, Beyond the Buzzword
With cloud-native architecture and true utility computing, there’s a huge opportunity for new and existing businesses to suddenly push the accelerator down and really go fast by taking advantage of cloud-native services, but they still have to understand how all these services work and how to put them together. For some organizations, the move to cloud-native development can be extremely confusing and often done wrong if there isn’t someone to guide them through the process. Eoin’s own SLIC Starter does exactly that by allowing organizations to bootstrap their project and get into production quickly. According to Eoin, the way it works is with a production-grade application that they built according to a template they call “80% of the difficult decisions you have to make at the start of a project, that really stop you from rolling out your business features quickly”, which is sort of a checklist management application. SLIC Starter provides a complete project that you can deploy into your AWS account, and then see how it all operates. It includes end-to-end tests such as unit tests in other services, as well as a full front-end. Finally, it provides user account and authentication piece. You can check it out on GitHub or slic.app.
AppSec That Should Rely on Automation
To answer our original question whether cloud-native and serverless security is really just application security, Hillel relied on the premise that when deploying an application, an API in code, and operating an application which is API in code, the security concerns are essentially application security concerns. The rest of the infrastructure security is no longer the organization’s problem or no longer solves their problem to a large degree. With that said, people do seem to realize that using technologies like serverless means their part of the shared responsibility model is suddenly smaller, and the benefit of that.
However, it is essential to understand that cloud-native security requires organizations to constantly re-evaluate what they are doing about security. It might, however, take a bit of time before that part is fully integrated into a rapidly accelerating delivery model in a way that organizations constantly evaluate and measure security as they deploy and iterate. As with DevOps, it takes time before the tooling is well understood and integrated into developer and deployment workflows. To be able to move fast while maintaining a stable security posture in the cloud-native world, we need security that is as automated as possible and fits into our process as well as possible. Accidents happen, and human error is ultimately what’s going to let organizations down, so the more they rely on automation – the better.
Eoin and Peter Elger released a book called AI as a Service which is about next-generation cloud architectures and automation. You can get the book on aiasaservicebook.com and use the 40% Discount Code: podsrv19
Eoin will be speaking at Microservices Dublin on the 21st of June and ServerlessDays London.