Name: Blowing up Serverless Security and How to Avoid it (Part 2)
Start: 2022-03-03T17:00:00Z
End: 2022-03-03T17:00:46.000Z
Location: BrightTALK
Rating: 0

Snyk (pronounced sneak) is a developer security platform for securing custom code, open source dependencies, containers, and cloud infrastructure all from a single platform. 

Snyk’s developer security solutions enable modern applications to be built securely, empowering developers to own and build security for the whole application, from code & open source to containers & cloud infrastructure.

Secure while you code in your IDE: find issues quickly using the scanner, fix issues easily with remediation advice, verify the updated code. Integrate your source code repositories to secure applications: integrate a repository to find issues, prioritize with context, fix & merge. Secure your containers as you build, throughout the SDLC: start fixing containers as soon as your write a Dockerfile, continuously monitor container images throughout their lifecycle, and prioritize with context. Secure build and deployment pipelines: Integrate natively with your CI/CD tool, configure your rules, find & fix issues in your application, and monitor your applications. Secure your apps quickly with Snyk’s vulnerability scanning and automated fixes - Try for Free!

Snyk empowers developers to own the security of their applications and containers with a scalable, developer-first approach to finding and fixing vulnerabilities. Snyk integrates seamlessly into existing workflows and provides automated remediation via its curated, best-in-class vulnerability database.

See first-hand how Snyk and AWS partner to help teams deliver secure cloud, container, and serverless applications deployed on AWS.  Snyk partners closely with AWS to build tight integrations across the SDLC, helping AWS users secure their applications from their IDE all the way to production without impacting dev teams’ speed and efficiency.

Watch this live democast and watch a Snyk security expert:
Scan open source libraries in source code and container workloads to remediate vulnerabilities as they're discovered
Scan container images directly from Amazon ECR and remediate container vulnerabilities or map new vulnerabilities to images deployed in Amazon EKS
Detect misconfiguration issues in your CloudFormation templates or your Kubernetes environment

Snyk in 30:  AppSec on AWS

A day in the life of a DevSecOps team can be full of surprises and challenges alike. Development teams need to ship new features fast while security teams need governance and compliance controls to ensure apps are secure before deployment. Both teams would surely benefit from a streamlined process to allow security at scale without impacting development velocity.

Let us show you the way! Watch this interactive session where experts from Snyk will walk you through real-life AppSec scenarios and showcase via a live demo how our customers have leveraged Snyk’s dev-first AppSec platform to streamline their workflows.

You will learn:
 - How developers can secure custom code, open source libraries, container images, and IaC deployments
 - How security teams can manage visibility throughout the SD/LC
 - How CISOs can manage & improve the security posture of the application

DevSecOps Teams: Following ‘A Day in the Life’

Cloud computing has transformed the IT landscape and enabled organizations to innovate faster and with more agility than they ever could in the data center. And the Shared Responsibility Model has relieved these organizations of the burdens of securing physical IT infrastructure, which is now the job of cloud service providers such as Amazon Web Services, Microsoft Azure, and Google Cloud.

But critical security responsibilities remain in the hands of cloud customers, and the scale, complexity, and dynamism of cloud environments and operations is creating new challenges for even the most sophisticated cloud and security teams. Attackers have become experts at exploiting new kinds of vulnerabilities that have emerged with the cloud, adding pressure to design environments to be inherently secure against them.

Snyk surveyed more than 400 cloud security and engineering professionals to learn from their experiences and gain new perspectives on the challenges they face, how they’re addressing them, and the impact of their efforts — both positive and negative.

In this webinar, Drew Wright will share key insights from the Snyk State of Cloud Security 2022 Report, including:
• Cloud security challenges and priorities across different teams and types of organizations
• The question of who owns cloud security and the challenges of cross-team collaboration
• The ROI of shifting left on cloud security and checking infrastructure as code pre-deployment

Understanding the State of Cloud Security

Cloud and DevOps practices blur the boundary between application development and the production cloud environment. Solutions that satisfy the needs of only the development team -or- the security & operations teams, in isolation, don’t help where organizations need it the most: reducing security risk while also increasing the speed of application delivery.

Watch this session as we discuss how security teams are scaling by empowering developers to create secure applications.

Security From Code to Cloud and Back to Code

The cloud has turned security as we know it on its head. It looks and operates differently from the familiar data center, and traditional security practices don’t fully cover the cloud. The cloud attack surface is different as well, and so are the patterns used when cloud environments are attacked.

Working closely with cloud security and engineering teams that are transforming how they do cloud security at scale has revealed five fundamental strategies that they all focus on to minimize cloud risk, help teams move faster, and maximize the ROI of their security programs. These strategies are: know your environment, prevention and secure design, empowering developers, policy as code, and measuring what matters.

Watch this session and walk away with an understanding of these five fundamentals, along with some simple recommendations for getting started on each one.

5 fundamentals of scalable cloud security: Keys to lower risk & bolstering ROI

Cloud and DevOps practices blur the boundary between application development and the production cloud environment. Solutions that satisfy the needs of only the development team -or- the security & operations teams, in isolation, don't help where organizations need it the most: reducing security risk while also increasing the speed of application delivery.
In this session, we'll share how security teams are scaling by empowering developers to create secure applications, including the use of modern cloud technologies that are used to deploy and run application workloads. We'll show you how you can give developers a unique security feedback loop, with direct, actionable fixes, from code to cloud, back to code. By connecting observed cloud security insights with developer-driven workflows, developers can prioritize and remediate vulnerabilities faster in cloud native workflows. This results in reduced risk due to more secure cloud environments and increased developer productivity, leading to better and faster innovation.

Replay: Developer-Focused Security from Code to Cloud, and Back to Code

The Twitch breach may have begun with a lone server misconfiguration, but its blast radius reached everything from sensitive customer data to source code for yet-to-be-released applications. Today’s cloud attacks don’t exploit a single misconfiguration, but rather a series of them.   In this Cloud Security Masterclass, Josh Stella will walk through a process for understanding the blast radius of a variety of potential security events in your environment, and steps you can take to prevent minor ones from becoming catastrophic breaches.   You’ll walk away from this session with an understanding of how to:  Evaluate your Identity and Access Management (IAM) resources for weaknesses that attackers can exploit Employ penetration testing methodologies to assess the blast radius of public-facing resource misconfigurations Harden your cloud security posture using policy as code to address complex, multi-resource “blast radius” risks

Cloud Security Masterclass: Minimizing the Blast Radius of a Cloud Breach

When the headline says “Cloud Breach Due to Misconfigured Server,” we’re only getting a small part of the story. Critical information on what really went down rarely becomes public knowledge. 

But in order to keep cloud data secure, it’s essential to understand how attackers are exploiting the cloud API control plane, and expand the blast radius well beyond the initial misconfigured resource in order to inflict real damage. 

In this session, Josh Stella, Chief Architect at Snyk, will walk through the ways control plane compromise attacks happen, and why you need to go beyond traditional cloud security posture management in order to spot the deeper design flaws in your environment that make these attacks possible.

Attendees will gain an understanding of:
-What the cloud control plane is and why attackers need access to it
-How to identify control plane compromise risks in your environment
-Why cloud security hinges with secure design, and where to start

How Hackers Compromise the Cloud Control Plane

The #1 cloud risk is the control plane APIs. When security is focused solely on preventing entry points into a cloud environment, defenders need to get it right 100% of the time. Attackers only need to get lucky once. A close examination of real-world cloud breaches shows that the security industry is approaching the problem all wrong, and these exploits will continue unabated until we change our thinking and focus on inherently-secure cloud design.

In this Cloud Security Masterclass, Snyk Chief Architect Josh Stella will walk through the taxonomy of cloud security involving the three vectors that we can manipulate in the design of secure cloud environments: resources, actions, and time. 

You’ll walk away from this session with a clear understanding of:

The nature of modern cloud breaches and how control plane API attacks unfold
Identifying cloud design failure and understanding blast radius risk in your environment
How to use policy as code to guide developers in secure cloud infrastructure design

Cloud Security Masterclass: Your Current Cloud Security Won’t Prevent Attacks

Amazon S3 probably gets a lot of use at your company—it’s easy to use, reliable, and scalable.
But S3 security isn’t so simple—it’s easy to get wrong and think you got it right. Recent high-profile cloud-based data breaches have involved advanced S3 misconfigurations that otherwise appeared to be secure.

In this Cloud Security Masterclass, Fugue co-founder and CEO Josh Stella goes deeper into three critical components of S3 security to help you think critically about security for your unique AWS use cases.

You’ll understand how to think critically about the security of IAM Roles, Bucket Policies, and Block Public Access for your specific use cases.

Cloud Security Masterclass-Building a Highly Secure S3  Bucket Part 2

When the headline reads “Company suffers cloud data breach due to misconfigured server,” recognize that this is only a small part of the story. What’s missing is the series of moves the attacker executed to achieve their ultimate goal, because the data they’re after rarely resides on the initial “misconfigured server”. Failing to understand how attackers operate in the cloud causes teams to focus too much on the wrong things and develop a false sense of security.  

In this session, Snyk chief architect Josh Stella will explain how nearly every major cloud breach goes down, and why cloud security keeps failing even the most sophisticated teams and organizations. He’ll walk through how attackers are not only exploiting individual resource misconfigurations, but also architectural design vulnerabilities that enable them to compromise the cloud API control plane in order to discover and extract data without detection. 

Josh will lay out a five-point approach for addressing these modern cloud attacks: 1) know your environment; 2) focus on prevention; 3) Empower your developers; 4) automate with policy as code; and 5) measure what matters.  

You’ll walk away from this session with a better understanding of cloud threats and a systematic strategy for addressing them.

The missing story with every cloud breach—and what you need to know and do

Amazon S3 security is far more complex than making sure your access policy is set to private. In fact, that setting alone can result in a false sense of security. 

In this Cloud Security Masterclass, Josh Stella, co-founder and CEO of Fugue, dives into the layers of S3 on AWS and how malicious actors are circumventing common security steps to extract data without detection.

You’ll walk away from this session with a deeper understanding of S3 and how to think critically about cloud security for your specific use cases.

Cloud Security Masterclass: Building a Secure Amazon S3 Bucket-Part 1

Recently, Fugue explored how cloud engineering and DevOps teams can use Fugue to check the security of infrastructure as code (IaC)—and running cloud environments—using the same set of policies.

In this session, Aidan O'Connor will focus specifically on performing security checks on AWS CloudFormation IaC for AWS in AWS CodePipeline. Aidan will cover using policy as code (Open Policy Agent) and Fugue to automatically check for misconfigurations in CloudFormation (JSON and YAML), and options for how to handle violations. 

What Attendees Will Learn
Leveraging Fugue’s pre-built cloud security and compliance rules for CloudFormation security
Integrating automated IaC security checks in CI/CD workflows using AWS CodePipeline
Extending cloud security coverage to your AWS runtime environment using the same policies

Cloud Security in CI/CD with AWS CodePipeline, AWS CloudFormation & Fugue

Enterprise cloud environments typically need to adhere to a set of custom internal policies — in addition to any relevant compliance standards. But transforming these rules into policy as code and ensuring everyone’s applying them consistently across infrastructure as code (IaC) and runtime environments is a challenge for any security engineering team. 

Fugue simplifies the process of putting custom cloud policies into action so all teams are operating off of the same page. Developers are producing secure IaC fast, and security teams are keeping the runtime free of vulnerabilities — using the same policies. 

In this session, Fugue’s Ricardo Green will walk through how to implement and manage custom cloud policies with Fugue. 

What Attendees Will Learn
How Fugue uses OPA rules to evaluate IaC
Fugue’s basic and advanced custom rule capabilities
Managing custom rules in Fugue’s SaaS platform

Managing Custom Cloud Security Policies with Fugue

In this session, Aidan O'Connor will focus specifically on performing security checks on Terraform IaC for AWS in Bitbucket Pipelines (an integrated CI/CD service built into Bitbucket). Aidan will cover using policy as code (Open Policy Agent) and Fugue to automatically check for misconfigurations in Terraform (HCL code and JSON plans), and options for how to handle violations. 

What Attendees Will Learn
Leveraging Fugue’s pre-built cloud security and compliance rules for Terraform security
Integrating automated IaC security checks in CI/CD workflows using Bitbucket Pipelines
Extending cloud security coverage to your AWS runtime environment using the same policies

How to Integrate Cloud Security in CI/CD with Bitbucket and Fugue

In the cloud, “serverless” architectures can shift a lot more security responsibility to the cloud service provider. But the responsibilities that remain yours look radically different than what many are used to.

In our first Cloud Security Masterclass session on serverless security, we surveyed what cloud security looks like for serverless environments. In this session, we’re going deep on the biggest and most important attack surface when it comes to serverless: Identity and Access Management (IAM). 

Josh Stella (co-founder and CEO) is joined again by Curtis Myzie (VP of Engineering) and Wayne Crissman (Director of Security) to dig into the role IAM plays with serverless security, how IAM misconfigurations put data at risk, and why these mistakes are so easy to make and common in enterprise cloud environments.

This session covers: 

The IAM attack surface with serverless cloud environments 
The strategies hackers use to exploit IAM misconfigurations
How to spot these mistakes and eliminate them

Blowing up Serverless Security and How to Avoid it (Part 2)

Cyber Attacks

Cyber Security

CSPM

Security

Cloud Security

IT Security

Cloud Compliance

Cloud Architecture

DevOps

DevSecOps

Cloud computing has exploded over the past few years, delivering a previously unimagined level of workplace mobility and flexibility. The cloud computing community on BrightTALK is made up of thousands of engaged professionals learning from the latest cloud computing research and resources. Join the community to expand your cloud computing knowledge and have your questions answered in live sessions with industry experts and vendor representatives.

Cloud Computing

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Blowing up Serverless Security and How to Avoid it (Part 2)

Presented by

About this talk

More from this channel