Talking Serverless Security With Jeremiah Grossman

I always enjoy talking about application security, whenever I have the chance, and with pretty much anyone. Having said that, throughout the years, I was fortunate enough to befriend a small group of people with which every discussion is always intriguing, challenging and truly inspiring. Within this group of people, Jeremiah Grossman is definitely somewhere at the top of the list.

I’m extremely excited to finally spend some time catching up with Jeremiah on serverless & security, and bring his thoughts to our audience. I’ve known Jeremiah for almost 20 years now, at times, we worked at competing companies, but we also collaborated a lot, on developing awareness for web application security – mainly through the Web Application Security Consortium (WASC) and OWASP.  

Sponsorships Available

Sponsorships Available

Sponsorships Available

In the application security world, Jeremiah is the closest we have to a rockstar, however, if you’re coming from a different background, here’s a quick biography: 

Jeremiah is the Founder of WhiteHat Security. He is a world-renowned professional hacker. Brazilian Jiu-Jitsu Black Belt. Published Author. Influential Blogger. Off-Road Race Driver. Jeremiah’s career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry’s biggest names. Jeremiah has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for privately informing them of weaknesses in their systems — a polite way of saying, ‘hacking them’. Jeremiah has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world who rely upon his expertise regularly. Jeremiah Grossman is the ultimate ‘white hat.’

Ory: Hey Jer, can you tell us a little bit about your latest endeavors? what are you up to these days?

Jeremiah: I like staying busy, so I’m always up to something – often 100 things! Where I’m focusing most of my energy these days is on Bit Discovery. Bit Discovery’s focus is on asset inventory. Asset inventory is by far the important and unsolved problem in all of information security, arguably all of IT. Obviously you can’t secure what you don’t know you own. Our vision is helping organizations create a comprehensive and up-to-day asset inventory of all their Internet-facing assets in under a few minutes.

Ory: Interesting. I can see how asset inventory is extremely relevant for serverless, we’ll touch upon this topic a bit later 🙂

It seems that when I’m talking to my friends and acquaintances from the application security world, many of them don’t have enough in-depth knowledge about serverless, or Function-as-a-Service. Any idea why this is the case?

Jeremiah: In my experience, the cutting-edge application security knowledge primarily follows behind whatever programming languages, tools, frameworks, and processes that are adopted by the larger software development community. So, there is always going to be a lag time.

Aside from a few individuals in the community that thankfully lead the way, it’s always at least two years before application security catches up. All application security experts should first learn what it is that modern software developers are using, such as serverless, and then learn what’s necessary to properly harden those environments.

Ory: speaking of developers, when adopting serverless, developers are the ones responsible for designing, developing and oftentimes deploying applications – how do you see “traditional” IT security / InfoSec folks getting involved in the process? I’m forecasting that we’re going to see a lot of Shadow Cloud IT… which means that it’s going to be hard to know what apps you actually have facing the internet and in risk…

Jeremiah: As I’m sure you’d agree, forecasting ‘Shadow Cloud IT’ is a bit like predicting the present. In many ways, that was one of the main value propositions of ‘the cloud,’ being able to bypass IT with the swipe of a credit card by anyone in the organization. That said, I also think you’re onto something here. What I think happens with serverless, and the surrounding deployment approaches, we’re going to witness even more applications be launched with security out of the loop. My advise, security professionals must be closely engaged with the workflows of the serverless teams so they can get immediate visibility to their activities and how it might impact the overall security of the organization. Everything follows visibility.

Ory: Since serverless applications are not necessarily exposing a web interface (most functions are triggered by other events such as: email events, Cloud DB changes, S3 bucket changes, etc.) – it’s becoming extremely hard to pen-test (manually, and certainly automatically) these apps. I’m seeing a huge issue with SAST (Static Application Security Testing) & DAST (Dynamic Application Security Testing) when it comes to serverless. Given your background in this domain, it would be great to hear your thoughts.

Jeremiah: 100% agree. Since the widespread adoption of heavily javascript-based web applications, security testing them with either DAST or SAST or manual penetration testing has been steadily getting more challenging. If we had to guess, code coverage has likely be steadily reducing, which is troubling. However, there is also an interesting and strange trade-off worth considering. The adversaries generally use the same tools and techniques to find and exploit vulnerabilities as professional penetration testers do. As such, everyone involved is generally and equally having a more difficult time detecting and testing the entire attack surface of a given application. So for the moment, things are equalled out. How long this will last is anyone’s guess.

Ory: What would be your top 3 recommendations for the modern day CISO, that has to face the new world of serverless and AWS Lambda Security?

Jeremiah:

1. Learn all you can about serverless technology. What makes it so attractive as a development environment and what are the inherent risks of utilization.
2. Learn where in the environment, serverless is being deployed and integrate the security teams into the application development workflow, even if it’s just being able to monitor change rates.
3. Serverless, like any other new development technology, has security concerns and keeping up on vulnerability remediation will be crucial. Establish the best approach for when an issue is identified, how it gets resolved as fast and comprehensively as possible. Also, strongly consider other additional precaution to proactively harden the system and ideally be able to detect if anything is under attack or compromised.

Ory: When adopting serverless, we essentially break down applications into small functions, basically microservices (or nano-services). Any thoughts on how this might affect security (for better or worse)

Jeremiah: I find that smaller units of code are far easier to understand, secure, and support than the more common monolithic applications. So, that’s a good thing. The downside is there are going to be a simply tremendous number of smaller units of code that provide a myriad of functions, where it’ll be incredibly difficult for anything or anyone to keep track of it all, especially how functions interplay. In that sense, I think what people should pay attention to is overall system complexity. How might we construct all these microservices/nanoservices in such a way where we can understand how it all works!?

Ory: Any final words of wisdom to our serverless audience, given your experience in the application security world?

Jeremiah: Software developers typically do not protect the security of their software against vulnerabilities that they both don’t know of AND respect. It’s only a matter of time before brand new attack techniques based on serverless are developed and exploited. To the impact of many, this is precisely what transpired in every adopted development technology for the last 20 years.