Security Governance and Compliance in Serverless Applications

Jon Zeolla
Jon Zeolla
Cloud Native Contributor, co-founder CTO of Seiso


November 7, 2021

About This Episode

Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!

Security Governance and Compliance in Serverless Applications

November 7, 2021
Season 2
Jon Zeolla

Jon Zeolla

Cloud Native Contributor, co-founder CTO of Seiso

About this episode

Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!

Episode Description

What We Discuss with Jon Zeolla:

  • 00:00 Intro
  • 07:59 What is Serverless Security?
  • 10:45 Compliance for Serverless
  • 15:40 Building Blocks of Serverless Security
  • 18:57 Serverless Architecture
  • 21:48 Cloud Native and Serverless
  • 25:48 Audit and Scope
  • 30:57 Layered Security in Serverless
  • 32:35 Serverless Security Best Practices
  • 35:47 Denial of Wallet attack
  • 38:41 How to learn more about Serverless Security
  • 42:44 The Fun Section
  • And much more…

THANKS, Jon Zeolla!

If you enjoyed this session with Jon Zeolla, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Jon Zeolla on Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

Recommend a topic

Partner with us

Join the team




Ashish Rajan: [00:00:00] Hey, John! Welcome!.

Jon Zeolla: Hey Ashish, how’s it going? Good.

Ashish Rajan: That’s what I’m going to show, man. I really appreciate that. Yeah, of course.

Thanks for having me.

Oh, by the way. Cheers man. Thanks for coming up with a drink as well for watching coffee. I appreciate. But John, maybe before we get into this, I think a great place to start would be for people who may not know of you. I’m sure a lot of people in Pittsburgh know right here and around us as well. We’ve been around Australia as well. I would love to know your journey into kind of the cybersecurity.

Jon Zeolla: Yeah. Yeah, it sounds great. So yep. My name’s John’s Zeolla. I started in technology back in the geo cities era. I don’t know if any of you remember that, but whenever you could kind of hand type in code your own HTML and, and whip up a little homepage. I thought that was cool to do when I was in, , elementary.

Middle school started getting interested in technology. I remember printing out the HTML spec and just like reading it line for line for line, like that’s how I got introduced to it. Wow. Okay. I didn’t know that there was any other way, so yeah. And so that’s how I started getting interested in technology.

Thank you, geo cities. I got interested in security, probably middle school to high school. I was trying to play [00:01:00] video games or do something that the school didn’t want me to do. And so I spent a lot of my time finding out how to bypass their security. , a lot of old school things, like if you used to if you could run the app command, you could say like at one minute from now run Explorer dot exe, and then kill Explorer, it would reload a system and it would bypass a lot of their control, things like that.

Right? Like little things just kind of , got interested in that sort of stuff. I found some things on my school network at one point and got myself hired by them when I was a senior and did some security stuff for them. , kind of what went from there. I was really into the kind of theater, like hacking in, in movies and, and things like that.

Oh for it got a first job. My first job was not insecurity though. It was more what we’d call nowadays, like a dev ops engineer. Back then that it was called a software engineer, but I was really focused on the automation for deploying prod and on-prem environments. For a pretty big bank jumped into net set.

Did some security general work at another company. And immediately prior to my current position, I was a security engineer at a research institution. So we did a ton of open source things there. That was a lot of fun that joined the Apache software foundation, [00:02:00] worked on a thing called Apache Metro and for a while there.

And then about five years ago, I started co-founded my own company called Seiso yeah, so we do security consulting stuff, right. And , we help companies with modern tech stacks , build out security programs, a lot of cloud native stuff. And those programs often need to be certified or tested in some way.

And so for roughly the last five years I’ve been spending a lot of time in ISO 27,001, SOC two high chose FedRAMP.

Ashish Rajan: Oh, awesome. And perfect going kind of connotation to me will be want over here as well. Now the first question we were today’s topic serverless security. I know a few people talk about it from a different perspective.

How different, I guess it’s the same thing as cloud security. What is really Cloud Security ? So I’m keen to know your definition of what do you classify as. What’s your meaning for serverless security when you talk about it?

Jon Zeolla: Yeah. I don’t really have a great special definition for serverless security.

I typically go back to the kind of CIA triad, right? Confidentiality, integrity, availability. That takes an interesting spin. When you get into serverless. , some attacks like denial with wallet attacks where , it’s kind of like a DDoSs, but [00:03:00] focused on spending your resources as the host or the person paying the combo for your are several lists.

? So I think that that takes a little bit of an interesting spin, but honestly, , I’m not a big fan of needing to separate definitions of serverless security versus cloud security versus AppSec and things like that. Good on that road for

Ashish Rajan: another one of those. Yeah, that’s fine. Yeah. Cool. So maybe I think , we talk about serverless primarily when I guess I’m in a lot of people, because it’s the first episode.

I do want to cover some of the foundational pieces as well. Cause then you can talk about service. The only thing about. Say a cloud server provided several ethical Lambda or QB functional Azure. Are there more varieties or are there, is that the only kind? And they’re the ones who are pioneering a Lambda function, Orlando serverless functions.

Jon Zeolla: Yeah. So there definitely are others. Right. The CNCF serverless. Maintains a landscape page which is really useful and of kind of what the other providers are in the area. Ones that I hear frequently are K native OpenWhisk whisk coop lists open, fast, things like that.

Yeah. So there’s a [00:04:00] few different projects , OpenWhisk is a patchy project though, a lot of open ones and a lot of different options out there. I definitely see. People using the cloud provided options, right. Like functions and Lambda and such that you mentioned earlier a lot more often, but there are, are on prem or kind of alternative non-cloud CSP hosted options.

Ashish Rajan: Yeah. Right. Okay. I mean again, maybe we should this being the Cloud Security Podcast we probably should focus on the cloud ones ones, but it’s actually good to know that there are other ones as well, maybe. And I’m going to put the link for the CNCF landscape thing on the show notes so people can kind of go in and have a look at it as well.

Now, talking about compliance and governance, you mentioned you’d been doing ISO and I guess a FedRAMP to the world, but. is serverless something that can have, features to be compliant the first place? Cause I always wonder we found those shared responsibility model where it’s, , just handing off to the cloud service provider.

Are there any things like that?

Jon Zeolla: Yeah.

Jon Zeolla: That’s a great conversation. We can talk about that for the rest of this chat. The short answer is yes. Right? Like, so you can build a serverless environment [00:05:00] to be compliant with these different frameworks. And just to kind of list them real quick. Like, what are the framework that I’m thinking of?

When I say that SOC two it’s ISO 27,001 it’s high trust it’s fed ramp. You could also maybe include things like PCI, although that’s really like a contractual obligation HIPAA. GDPR, things like that. Right? So some people include those in the mix. I’m primarily talking about that first grouping , the high-trust FedRAMP ISO SOC realm, and yeah, actually, so when I’m building an environment or helping people design an environment, sometimes a lot of times when compliance is a requirement that drives the move to serverless because it removes a lot of the need , you mentioned the shared responsibility model.

It moves a lot more of that to the CSP than on yourself. And so you have kind of a smaller slice of that pie of that shared responsibility that you need to worry about when you’re being. , for those sort of some of them are certifications. Some of them aren’t, , SOC two is an attestation.

, FedRAMP is different as well, but , with high trust in ISO, it is a clear [00:06:00] certification where you have a external auditor come in and say, they go, yes, you are now certified because you have a ex. There’s a little nuance in that, too. So for instance, with ISO 27,001, you can’t actually have your technology, your product be certified.

That’s not what they will certify. They’re certifying the, what they call the ASMs, and that is the environment that surrounds that serverless environment. And you can put that service environment. For your ISO audit. But you can’t say that that is ISO certified. It’s the ISMs it’s essentially the processes that support security around that serverless environment that you can get certified.

But , that being said, ISO still has annex a and although it’s the least prescriptive of the bunch it does have some things that are mandatory, some things that are required. And so your serverless environment would need to support those. And it can, right. I’ve helped multiple companies kind of go through.

Go through that process without a hitch. It’s definitely a possible

Ashish Rajan: That’s actually interesting, important, because what that means is for companies who have applications, which are fully serverless, then probably then to [00:07:00] your point, the slice of compliance responsibilities quite low, but for people who may be using a mix of, I’ve got some serverless, I’ve got some EC2

I’ve got something else and something else like that’s my entire ice message. Then Lambda is technically just a very small slice of even that compliance pieces that for him.

Jon Zeolla: Yep. And it gets interesting too, because when you are working to get certified and as you’re building your security program around those systems, there’s lots of different ways you can do it.

You can do process-based assessments, asset based assessments, controls based assessments, right? Like there’s all kinds of these different angles that you can take. And , in a lot of cases, you have some flexibility on how you’re going to do that. And sometimes the auditors , are prescribed a method of.

When they’re going to be looking at your environment, they have, they’re going to go the asset-based way or the process-based way. Right. I saw it was big on the process matrix, right. And understanding kind of where, who owns what and how it’s about the ASMs. Right. Whereas others are different, , a NIST fed ramp is all about controls based, right?

There’s even that Oscar Al project, which is very clearly says in their documentation, this only supports [00:08:00] controls based assessments. Right. So they, they want to go that route. But so it depends a little bit on that. Which certification or attestation you’re going for which angles you, are feasible.

But yeah, there’s a few different angles of ways that you can assess the environment for security in general.

Ashish Rajan: Would you say, or maybe another great crisis, I guess kind of digging into this conversation could also be talking about the building blocks for how people can start building towards, I mean, we kind of separated out, Hey, if you think your compliance in a serverless environment probably need to look at it from, Hey, I is this just my entire product is serverless thousands of Lambda functions.

Or is it more that you just have one component? So for people who may have like a lot of components or maybe one component serverless , what are some of the building blocks to start with from a security compliance perspective , I feel like there’s a few layers of defense. I’m sure you can put into serverless as well.


Jon Zeolla: So first of all, that depends a little bit on the. Right. Like you are able to scope your ISO certification or SOC two or whatever, to a specific area. And sometimes it would make sense to just exclude your serverless or only include your serverless, like maybe [00:09:00] draw a boundary between them.

That’s something that I see people will do a lot, but in particular when we’re thinking about. , these certifications on a serverless environment, a lot of it comes down to just your application security practices. Right. And so while they’re going to need to see like in FedRAMP world some sort of diagram with your SSP, like an authorization boundary, knowing where the data is going and some data flow diagrams.

You can provide security a lot of different ways. In the design of it, obviously there’s a diagram, but also if you’re deploying that diagram with infrastructure as code being able to apply, , show that you have some sort of security controls around that infrastructure as code deployment there’s tons of different ways to do that.

, I think checkov is a really good one. Kix is another. Tara scan TF sec. There’s, there’s a lot of options on the market. I even have a little Docker container. I open-sourced that brings those together and makes it kind of easy to run into pipeline. But just doing something in your infrastructure as code security is a key part of those like building blocks when you’re deploying serverless.

Because you’re probably going to be using a lot of different, like you’re native S you’re gonna use a few [00:10:00] different. Functions that you might use CloudFront, you probably gonna use some laughs. You’re obviously to use Lambdas , step functions S3 buckets bar Kinesis, things like that.

There’s also just a lot of pipeline security to think about. So your traditional static code analysis, dynamic code analysis software composition, analysis, tooling and ensuring that the code that you’re deploying is. Is secure. And then there’s runtime security too, right? Like, so just because you don’t manage the operating system doesn’t mean you don’t need to think about how things will actually operate and run time.

So , something that I see people use frequently in the AWS Lambda world is layers. And so to deploy kind of. Approved centralized configurations for logging or for some different sort of protection mechanisms and, and have one way to do it to kind of centralize your descent, decentralized deployment , is another really important building block and having maybe a little bit more scrutiny over that, especially if it’s authentication, authorization based or if it’s cryptography based or something along those lines, just making sure that it gets a [00:11:00] little bit extra scrutiny before it gets deployed and just having all your serverless.

Functions use that, those shared layers.

Ashish Rajan: All right. I mean, sounds like a lot of moving parts as well. I mean kind of like any other applications value had the runtime, the compile time, for lack of a better word. Yeah. The CICD pipeline as well. So maybe in the book that you’ve done, where some of the example of architecture that you’ve come across for serverless, like what are people using them for?


Jon Zeolla: Yeah, I think the most traditional one is like an event driven architecture something where you maybe have a web application, a single page app with a bunch of JavaScript and it makes API calls from time to time as the users are interacting with, the front end and serving those APIs in the server list, putting an API gateway in front and then hooking that into a serverless is a pretty popular one.

I’ve also seen some data engineering, like kind of data pipelines use cases where you have lots of information coming in. So maybe it’s some sort of a feed or a dump, or maybe even old school, like FTP. Someone’s dumping something on a server somewhere, and you want to pick that up and make it more modern from that on right where you [00:12:00] could use like a, there are FTP services, SAS services and stuff, but , taking the data, parsing it taking the rows or the sections of the data, which are.

Valid and then kind of moving them onto the next step and processing them, cleaning them preparing them for if you’re doing machine learning, , it’s really important to have really clean data. But even just any sort of database visualization, having really clean information is important kind of ETL jobs, right?

Extracting things from a data store, tweaking them a little bit into loading them somewhere else. And I’ve even seen monitoring. So although a lot of the environments I work in, people are using. , Prometheus’s and and things like that for their health monitoring and things like that. I’ve seen scenarios where it made sense to kind of just throw a Lambda out there and say, , on this sort of cadence check in on this , other thing, maybe it’s a traditional app.

Maybe it’s something deployed into Kubernetes and you, for whatever reason, want to add something on top of that using serverless for those sort of like quick and easy jobs to deploy, maybe it’s even time. Right. Like, oh, I just need this for the next three months. I don’t want to have to deal with spinning up a server or doing a Kubernetes deployment or anything like that.

Like, I just want something [00:13:00] quick using serverless for that as well. Makes sense.

Ashish Rajan: Right. It’s a interesting point. I don’t know what will people use for FDB mature upload files for lab as well. But maybe those are more examples. Cause I’m going to think as you’re going to go into them to thinking about.

So wait, if I’m approaching compliance for myself, whether it’s application, obviously we spoke about the CICD pipeline. We spoke about runtime, all these other things as well. Now, natively, are there any features that are kind of , with the modern compliance in mind where a lot of people are talking and talking about, Hey, why not?

A cloud native service, I’m just making it up like, oh, my Lambda is already FedRAMP certified. Maybe not the application being hosted by it, but the lender by itself is like, are there things like that, that you kind of see auditors are comfortable to kind of pick that up?

Jon Zeolla: Yeah. Especially in the FedRAMP world.

Yes. So and especially at the higher levels of FedRAMP, like if you’re talking about FedRAMP hi, we’re actually going to be in the Gulf cloud. , there’s a ton of reason , to deploy your application in a kind of cloud native serverless way. Making sure that you don’t [00:14:00] accidentally use a cryptographic method that’s not allowed or you store our private key material in a certain way that you don’t want to just using those sorts of.

Cloud environments where they kind of remove the ability to shoot yourself in the foot, right. They remove the sort of methods that wouldn’t be sanctioned for. Those sorts of deployments , is really key and critical. And that also kind of goes back to a little bit, the infrastructure as code when you’re deploying these things, , putting the configurations in place that allow this, or don’t allow that , one example is So you can use a regular rules with a bunch of different tools like kicks or I believe checkoff also supports rego.

And , I’ve seen some people say, oh my, I have a tagging strategy where every S3 bucket or every resource that gets deployed, needs to have a data classification key. And then the values are one of this list. Right. And you can say. In a pipeline, we identify that someone is writing Terraform that creates an S3 bucket.

And that S3 bucket has a tag of data classification equals ISO 27,001 or veteran moderator, things like that. Then you can have custom rego [00:15:00] policies that make sure that the configuration of the cloud resource. , using server-side encryption, requiring multifactor for the leads, , whatever it is.

But if the tag is something different, like you’re tagging it for, , a SOC2 that might be a lower bar. You might not have that as a requirement, just a preference. And for cost reasons or complexity reasons, you might choose not to do that. And it’s kind of something that you can again, push it early in your CI process , to ensure that you’re meeting whatever requirements.

Ashish Rajan: So wait, do people use compliance the tag as well in resources? That’s an interesting one because normally when you were talking about tagging, they don’t normally document the fact that, Hey, this is a for business unit X. And so this is my tag. This machine would run from 9:00 AM to 5:00 PM. Like I’ve seen those cards.

People use that for compliance.

Jon Zeolla: Oh, yeah. Yeah, definitely. I’ve seen , the criticality of the assets being indicated, the sensitivity of the information. That’s a really key one if you have a data classification governance that says all your resources need to be X or Y or Z, , public or confidential or regulated, or , whatever, or if you want to better define your [00:16:00] boundaries.

So you have, some people will just use like a multi subscription or a multi account way to do that. And they’ll say everything in this one, AWS account. ISO 27,001, everything, and this is SOC2, but that gets confusing when you start overlapping or whenever you do a scope expansion of your certification.

And you’re like, I want to add this in like, oh, well now I need to, it’s like this and half of that AWS account and things along those lines. And so what I’ve seen that be successful is using tagging to define that. And then, I feel like everything is kind of downstream from metadata, right?

So if you just put good metadata on everything, then you can automate. A hundred

Ashish Rajan: percent. Cause I was kind of, as you were going to saying it I’m going. Oh, okay. Cause I think a lot of examples that I’ve seen for compliance has usually been, Hey, we’ll have this separate now whether it’s an AWS account or Azure subscription or Google account, the way they kind of do it, I’m going to separate my compliance component.

So they don’t talk to anything else because I don’t know what kind of alert I might get. I don’t want to throw heated on any auditors. I’m sure they’re great ones as well. But I find that the whole aspect of kind of where the question started. are auditors being okay with using a cloud service as [00:17:00] a tick for of control from a feel, bad thing that, but I don’t know.

What’s your experience been over there?

Jon Zeolla: There’s a lot of other cool things you can do when you start tagging resources. So. I’m involved in a lot of audits, right? I’m usually kind of supporting my clients on the technical side or coaching them. And one of the things we always say is answer their question, be honest, but don’t offer more information than what they’re asking for.

Right? When they ask a question, answer that question, don’t answer questions they didn’t ask. And so what I see a lot of times is the auditor says, Hey you say here you encrypt everything. Do you have any and they say, yeah, or do you have, , whatever. And they’ll just kind of spin up the AWS console and they’ll start showing all of the EBS is that they have all of them when what I coach them to do.

And this is where you bring the tagging and you just, you can filter on , scope ISO 27,001. Now they’re only ever going to see. The things that are in scope for that audit you could even do an ad hoc tagging for that audit, you could put like something specific. And so, and then for the rest of the audit, you can make sure that you’re only showing them that specific slice.

And again, this, this whole conversation that we’re talking about [00:18:00] now are disks encrypted or whatever is a great problem in a non serverless world but in a serverless world , at least in the areas that I’m familiar with more so in the AWS and Azure realms, , these things are just like encrypted at rest is kind of a claim that they, that the cloud provider gives you

and so as far as shared responsibility goes, like, I don’t have to worry about discs. I don’t have to worry about that. Like, , if I go to their documentation and I look at what they’re saying, that they do, they say that all of the storage for these sorts of things are encrypted and we’re great.

Just go, the auditor can go look at the AWS documentation. Instead of looking in my AWS console is much more safe thing to do. I think,

Ashish Rajan: I think so you find that. Sometimes it’s us, ourselves. trying to shoot us in the foot , I guess, by showing more than what’s required, that’s kind of makes us not fail the audit, but it makes, it makes the situation a bit more difficult in front of.

Jon Zeolla: Yeah, it just spurs questions. You start going down paths that you might not want to go into, or maybe you just weren’t prepared to go down it. You want audits to go very smoothly and you want to be able to prepare and you can’t prepare for everything. So you want to come prepared for a specific scope.

Right. And then the patient on that [00:19:00] scope is,

Ashish Rajan: and you use tagging in that context. So, but I guess just to I, I think we kind of touched on it, but so that I have a clear answer for it, but, are auditors open to the idea of. to your point about encryption if there’s encryption for AWS yup that works .

So it’s acceptable versus, Hey, how do you do your auditing or it’s a service from my Azure provider, like acceptable or is that not a thing at the moment? Like, because they do they know about it? At least the ones that you, I mean, we don’t document gentrifying it.

Jon Zeolla: Yeah.

Jon Zeolla: Do they know about it? That’s like a key thing.

My experience over the past few years of going through these audits and certifications and attestations and stuff serverless or not, is that the serverless components of the environment? A lot of auditors just aren’t familiar with it yet. And so th that means that they’re not comfortable, that causes them to ask extra questions and spend extra time on it.

Sometimes it’s a good thing. If you’re extremely buttoned up great. Yeah, I’ll spend as much time putting a magnifying glass to the things that we have really nailed. But sometimes it’s not. I, I always say that. If you you’ll get to know your auditor a little bit, and if they aren’t [00:20:00] comfortable spend some time getting them.

It’s probably in your best interest to help them understand the design choices, why you chose to go server lists and specifically from the cert the security side, what guarantees you have what expectations you have, where the improvements from the shared responsibility model are things like.

Yeah, I I’ve heard lots of , in the FedRAMP space, like government entities being uncomfortable. And when you start bringing up, we’re going, gonna use Lambdas for this inside the authorization boundary. They’re like, whoa. Like, I don’t think we want that. And in some cases it’s because, , years and years and years ago, when this was a really early feature, there were some controls gaps.

Right. And some of them just kind of are holding onto that. And in some cases it’s, they just don’t know what to make of that. And they know if you have an EC2 that’s a server and they know how to deal with servers. Right. And so I’m spending the time to kind of educate your whoever’s your, your answer to parties, right?

Often your auditor. Sometimes whoever’s sponsoring you. If it’s a FedRAMP things along those lines

Ashish Rajan: Awesome. So the education piece is important. [00:21:00] I’ve got a question here from Sushant Kode , and I believe we kind of answered it, but if, unless you had any more torture, this question was, how do you implement layered security in a serverless framework?

We kind of touched on the whole runtime and the, I mean, unless you want to add anything else more on probably us to shine the kind of wide one that he plays available, but did you want to add anything else to this?

Jon Zeolla: I’ve seen a lot of Interesting roll-outs of kind of layers specific to like within the land of layers.

The way I’m reading that question is also just layered security in general. And so, you can architect Lambda to be front ended by a WAF, right? So you could use the AWS WAF and you can put some controls at that level you could use Okay. All kinds of techniques throughout the stack for encrypting and decrypting traffic and doing introspection.

You could do network based monitoring, especially if you have the ability to do. To decrypt, you could do a network security monitor style techniques. You could spend the traffic off separate and have , detection mechanisms there. , there’s a few different ways that you can do it.

It’s definitely in my opinion, a little bit more limited than a traditional mechanisms. And I think that that’s a good [00:22:00] thing. It reduces the number of options, the things that you have to consider as your layers of security. At the end of the day, , I haven’t found a situation where I was clearly able to say like, oh, like the traditional way is better running a server would have, or Kubernetes would have been much better for this, this one use case.

And I’m talking mostly, , within the last six to 12 months. But that has been more of the case than as opposed to like.

Ashish Rajan: , I think it’s definitely calling out . Serverless, doesn’t solve all the problems as well. You probably want to find the right tool for the right job. And I think too funny enough, he’s got another follow-up question.

I need suggestions on serverless security, best practices, which is probably kind of tying back to your layered approach before where you said you had a WAF, I think could probably add identity and access management as well. Like I think the AWS context, the IAM role that you have on your lab functions should not be overpriced.

Yep. And there is a whole, i dunno if it has changed because AWS keeps changing this because not all lambda functions are public facing as well. It could be private facing ones as well. Right,

Jon Zeolla: right, right. Yeah, exactly. And each, I believe each function needs to have its own,IAM role. So sometimes you get a little bit of sprawl there and like, if you’re at really high [00:23:00] scale, the manageability of that can be can be difficult.

But but you do have to have a role for each one. And that means that you can. , measure it and identify if it’s meeting whatever expectations you have. But when I think of serverless security, best practices, I really go back to application security, best practices, right? Adding security into your pipeline, having a senior design of the stack itself and being able to talk through that and scan it for.

, I typically go towards for serverless security, some sort of IAC based scanning and deployment. But you could do, , audits of the the, the workloads of the environment in the console or with other sorts of tools to, I think, , things like Prowler Crowdmap or things like that.

I believe those have some support for serverless environments. So Yeah, a lot of it goes back to, in my opinion, really traditional application security, best practices, the GFS bombs and software composition analysis. You’re not using some third-party library. That’s from the 1990s. And

Ashish Rajan: just a good point because of.

Kind of touching on this shared responsibility that we were talking about earlier and that the traditional [00:24:00] models don’t really apply in a serverless context because technically all you’re doing is if I were to kind of take a 10,000 feet view of serverless are deploying applications, we just have a function that someone in our company has written like a Lambda function, which is, could

Biten whatever. We just dropped that into AWS or Azure or Google Cloud . And then that just runs based on our trigger. The, so from a responsibility perspective, if you don’t have a storage that you require for a function run, then there is no need for a storage compute is owned by them. So there’s no antivirus or malware protection .

none of that stuff is going to work as well. And WAF probably is important because if it’s internet facing and you have, although I sometimes wonder WAF definitely would play a huge role from an OWASP top 10 or whatever you want to call it. Maybe a denial of wallet . Maybe can be prevented by that as well?

I don’t know.

Jon Zeolla: Yeah, that’s a good question. I’m not really, I’m not really sure. That’d be. You probably could, because you could write roles. Like if you’re seeing an excess number of requests from a single IP or from a certain user agent string or something like that, you can start to deny them instead of just allowing them to spend your [00:25:00] money, like crazy by spinning up new ones.

Yeah, I haven’t actually ran into that before, but I’d expect you could do

Ashish Rajan: something. Yeah. And I just realized that as I mentioned it, I’m like you, and I knowwhat denialof wallet is , but other people may not know where denial of wallet attack is. So do you want to touch on what is the denial of wallet attack in the serverless context?

Jon Zeolla: So with serverless , one of the attendants of serverless is that scalability is not your problem. It’s theCloud providers problem, right? At least when we’re talking about. CSP provided a serverless environments. And so it’s someone else’s problem. And so in response to traffic, you will scale up in response to reductions in traffic you’ll scale down a denial.

A wallet is a scenario where the type of traffic causes there to be additional expenses on the hosting side. So whether it’s a long list, Requests things that they know will take a long time or just a quantity of them. , just kind of digging , your wallet, the credit card that’s attached to your the billing account and, and costing, you as the provider as the person running the application, running.

Ashish Rajan: Yep. Awesome. Great description. I think so I think the that’s a very common thing, which is seen in a serverless function while the other one probably. And I’m sure you can [00:26:00] add to that as well. Is that the whole, IAM role. So if you have mentioned FTP servers earlier, she was like, oh my God, why would he put an FTP?

But sure. But I think the whole idea behind that is that there is a great talk gone in 60 seconds. Something from dead on Def con. Just someone who’s uploaded a file onto a Lambda function. They found out it was container running in the background and were able to get a reverse shell it back out. So you almost go like, oh, oh.

So why would you go file upload in the first place? Because you don’t really have any control of the computer, but I don’t know if you have any more examples of things that you’ve heard about in the service attack world.

Jon Zeolla: Yeah, probably not a ton. No. That’s an, that’s an interesting one. I do. I recall seeing some stuff on Twitter about that and that presentation.

I don’t think I actually have seen it yet, but I could kind of guess at some of the interesting nuances of other non AWS environments, there were similar problems like that. And you were able to do some like lateral movement and there were some interesting things identified like years ago, years ago.

I forget which cloud that was, but

Ashish Rajan: Yeah, cause I think that’s where I guess the identity access management piece we spoke about earlier kind of fits in as well. Like if you’re a Lambda function or if you’re AWS function, Azure [00:27:00] function , has permission to do a lot more damage than maybe that kind of becomes a bit more challenging at that point.

But hopefully that answered your question. Sushant and yeah, serverless security, best practices to start off with, and maybe some common attacks you want to look out for. And we kind of towards the tail end of the show as well, and I kind of wanted to get a, give some. Guidance for folks who are listening to this for the first time and where can they go and learn about compliance and serverless , especially like now Martinez is working on setting up AWS solutions, us solution architect associated.

I wonder, oh, what’s a great place to start thinking about compliance and the whole serverless security world. Like where can people find more information about relevant to this?

Jon Zeolla: Probably two different recommendations there, maybe three on the compliance world, each certification attestation.

Compliance framework, whatever you want to call them is handled very differently. Right. So if you’re interested in fed ramp or, , working with the U S government, for instance , following things from the DOD, the DHS GSA, NIST those all make sense. I’m a big fan of following.

And this is a special publication publication [00:28:00] drafts when they get released gives an interesting,eye and kind of inside loop to some of the things that are happening there. And there it’s usually for a reason, it’s usually preempting some sort of later on step of a requirement in 853 or, or favor ramp or something along those lines.

And a lot of other frameworks look to NIST at least ones that are based in the U S as influenced to how they operate. So that gets you really the kind of upstream. , ISO is, is great, but pretty much to see anything there, you need to spend some money. It’s not a ridiculous amount of money, but, , we spent a couple hundred bucks there, a couple hundred bucks there on a different specs, , ISO 27,001 points to ISO 27,002.

And then there’s 27,017 and 18 and 27, 7 0 1. And then there’s the auditor guidance in each one of those is going to be a couple hundred bucks. So that one can be a little more difficult, but starting at 27,001 could be the place if that’s what you’re interested in. There’s also on the serverless side, I’m a huge fan of open source and I’m a huge fan of some specific communities that are out there.

The OSS app is doing really great work recently. The CNCF as well, [00:29:00] there’s the CNCF tagged security, the technical advisory group for security. And there’s some initiatives going on there with regards to. Serverless there is the serverless working group within the CNCF which is, which is really doing some awesome work.

I referenced them earlier in the landscape, but they’ve done some other things with like Cod events and things like that. And my personal favorite way of getting to know this stuff is cherry picking very narrow use cases or scenarios, compliance requirements, whatever, and then doing some experimentation, just kind of like playing around spin up some Lambdas yourself.

I think my first thing. I wanted to know when a specific commit and open-source project was in, was included in a release of that project. So I could actually tell people to start using it. Cause I’m usually like either putting in an issue or contributing something and there’s a commit when it gets merged, but I’m waiting and waiting and waiting for that to get released.

So I made a API gateway Lambda. I’m like kind of a pretty small stack. That was the first scenario that. Myself in in Lambdas and I just would query it with this little client that I wrote in Python and used IAM authentication and just said like, Hey, here’s a commit. And here’s a repo. Is that [00:30:00] in a release yet?

And I made a bunch of GitHub queries happened and it would say, yup, it’s in a release XYZ. You can go use this. It’s kind of stable now or, or not. So yeah I highly recommend experimenting and just kind of playing around and, and these kind of use cases that you think you might want to recommend to someone.

Yeah. We’ll yourselves get a feel for the pros and cons and in some cases how bad the documentation is how to use them. But yeah, well,

Ashish Rajan: Thanks for sharing that I think I’ll put the resources for the CNCF on spend. I think we have a you and I are working on a serverless white paper as well, so we can probably, hopefully at least that to the public and get some more insights from that as well for maybe someone like.

His answer forum. I have more specific answer for serverless security practices, at least as collectively taught by more than 25 people who are involved in that conversation . But that’s, so that’s kind of the technical questions I could. This is kind of like now the last section, which is a fun question.

Second. There’s three, not too many. I want two for the folks to kind of get to know you a bit more beyond the technology side of things, I guess. So the first one being, what do you spend most time on when you’re not working on serverless, compliance or cloud or technology, or [00:31:00] what’s your. I just want to spend more time on.

Jon Zeolla: Yeah. I’m pretty narrowly focused right now, but I would say that my one side hobby is mountain biking. I, I just convinced myself that I’ve been doing it for long enough to invest in a really nice bike. So I’ve got a really solid mountain bike now, and I’ve been doing it for like the last four years or so.

There’s actually a small group. I’m based out of Pittsburgh, Pennsylvania in the United States. And maybe 10 or 12 of us in InfoSec, locally, that all kind of go around to the different mountain biking spots. And that’s how I spend my free time when I have it.

Ashish Rajan: Awesome. All right. That’s a great way to do it as well.

Then. I think outdoor is good, especially with COVID. I think most people are like, great. So the next one is worst. So what is something that you’re proud of, but it’s not only a social.

Jon Zeolla: Well, that’s probably an easy one because I don’t put a ton of stuff on social media. I don’t think I’ll even put a, so the tool I referenced earlier is called easy infra.

I don’t think I’ve put anything about that on social media at all. So I would have to say that that’s something I’ve been working on for about a year now. And yeah, it’s just I’ve, I’ve used it internally and I’ve got a few clients using it as well and hoping to get more adoption of that.

So if anyone’s interested check [00:32:00] out. It’s yeah kind of supposed to be a pretty seamless way to introduce security scanning to CIA or CD processes. When you do infrastructure scope,

Ashish Rajan: I’ll put the link for that in the show notes as well. One final question. What’s your favorite cuisine or restaurant that you can check?

Jon Zeolla: This is super easy. So in Pittsburgh we have this thing called a Pittsburgh. What it is, is a normal salad, and then you put French fries on top of it, and you usually use ranches the dressing, because why wouldn’t you so, so you feel like you’re being. But you’re actually just eating French fries with ranch.

And so that’s, that’s like by far one of my favorite you can you add a protein to it, to like put steak on it or, or chicken or something like that, but yeah, definitely the Pittsburgh salad is

Ashish Rajan: the wait. So it pretty flux started like readily available anywhere. Like, or is it more like you go to like a Pittsburgh salad shop or is it.

Jon Zeolla: Like probably 60% of the shops around here, the restaurants that have salads you could probably get. And in fact, sometimes it’s assumed and you don’t even really know that you can look at the fine print. You’re like, okay, this is just a regular, , X salad. And it comes out with a bunch of French fries on it and it’s like steaming hot.

And I’m like, yes, don’t even think that I was going to get this. That’s great.

Ashish Rajan: Cool. Okay. [00:33:00] Now I’m going to try that out now, since it was opened up, hopefully I can come on that side, but thanks so much. I really enjoyed my conversation. So thanks so much for spending time with us. I really would like to kind of keep elaborating a bit more on this.

Maybe once we release the white paper as well. So, but I do appreciate you spending time with us and answering the questions for everyone else. We’ll be here as well, but where can people find you when, if they want to connect with you?

Jon Zeolla: Yeah. So I’m on Twitter at John’s Yola, J O N Z O L a a and I’m also on LinkedIn.

That’s probably the two best ways to connect with me. I’m also on get help as well. I’m not, I’m not very unique. I just use the same.

Ashish Rajan: No fair enough. Thanks. enjoyed the session as well. So a great job, man. But thanks so much for your time. I will see you hopefully on my next CNCF conversation. Thanks for coming in as well.

Hopefully. Good luck with your exam then. For everyone else, I will see you on the next weekend for another topic on serverless security thank you, John for coming in. And we will talk to you soon. Thanks everyone. See ya. Bye bye.

Enjoying our content? Don't forget to subscribe!