AWS re:Invent 2022
Developing and Deploying Secure Aws Lambda Applications Prt094

Title

AWS re:Invent 2022 - Developing and deploying secure AWS Lambda applications (PRT094)

Summary

  • Steve Wilson, Chief Product Officer at Contrast Security, discusses the importance of developing secure applications in the cloud, emphasizing the need for tools and techniques that keep pace with agile development and CI/CD pipelines.
  • He highlights the inefficiencies and inaccuracies of traditional security tools, advocating for an "inside-out" approach with embedded security instrumentation for real-time telemetry and context-aware security risk assessment.
  • Wilson introduces the Contrast Secure Code platform, which supports both legacy and modern environments, including serverless applications like AWS Lambda.
  • The platform focuses on three key areas: analyzing custom code, identifying vulnerabilities in open-source components, and managing over-permissive functions.
  • He emphasizes the importance of understanding the full application graph for setting the least privilege IAM permissions and provides a real-world example of the Log4Shell vulnerability to illustrate the need for comprehensive security coverage.
  • The platform aims to simplify security for developers and security teams by providing continuous scanning, contextual results, and organization-wide visibility into AWS serverless environments.
  • Wilson concludes by inviting attendees to visit the Contrast Security booth for live demos and further discussions.

Insights

  • The shift from traditional app server-based environments to serverless architectures like AWS Lambda requires a rethinking of security practices, as serverless functions are exposed on the internet and need appropriate IAM permissions.
  • The "inside-out" approach to security, where security instrumentation is embedded within the application, is crucial for obtaining accurate and context-rich security data, which is more effective than traditional scanning tools designed for security researchers.
  • The Contrast Secure Code platform addresses the need for integrated security analysis by combining the capabilities of SCA (Software Composition Analysis), SAST (Static Application Security Testing), and DAST (Dynamic Application Security Testing) tools, which are not inherently suitable for serverless environments.
  • The platform's ability to provide real-time alerts for new CVEs (Common Vulnerabilities and Exposures) in open-source components and to automatically scan for new security vulnerabilities with every application update is a significant advantage for maintaining secure serverless applications.
  • The concept of "least privilege" is a critical security principle in serverless environments, and the platform's feature to recommend the exact minimum set of IAM privileges for each function helps developers avoid over-permissive configurations that could lead to security breaches.
  • The mention of the Log4Shell crisis serves as a reminder of the importance of securing the entire software supply chain, not just the code written by developers, but also the third-party components integrated into applications.
Developing an Observability Strategy Cop302Devops Challenges in a Microservices World Prt062