Serverless applications are the latest trend that is disrupting the world of microservices. Microservices enables developers to move faster with continuous delivery and deployment of large, enterprise applications. They offer loose coupling through modularity, scalability and fault isolation and resiliency from a security perspective. However, the resulting distributed systems are often complex with a large attack surface, making traditional security assessments difficult. Tasks such as security design review, threat modeling, security code reviews and especially security testing becomes challenging due to the overall scope of feature deployment spanned across multiple services and domains and the speed at which these are deployed. Therefore, if security is not baked into the design and architecture, the applications are suspectable to a variety of security attacks.
The main purpose of this presentation is to discuss the common security pitfalls associated with serverless application variable such as “Backend-as-a-Service” (BaaS) or “Functions-as-a-service” (FaaS). The talk will also cover discuss microservices architecture and design in order to analyze how certain aspects of security is achievable at scale through these patterns.

The target audience for this talk is security engineers, security architects, software development engineers and managers, and anyone who is involved in designing and deploying the end to end applications based on microservices oriented architecture. The attendees will walk away with a general understanding of security issues related to serverless applications and a framework to mitigate residual risk challenges through secure design patterns.

Trupti Shiralkar is a Principal Application Security Engineer at the world’s most customer-centric security company Illumio. She has a strong passion for security and privacy and believes in influencing security by creating a mutual win for all involved parties. She enjoys diving deep on challenging hard security problems and building technical solutions in collaboration with development and security engineering teams. She holds a Master of Science degree in Information Security from Johns Hopkins University Information Security Institute (JHUISI) and several security certifications. In the past, she worked at Amazon, Hewlett Packard, Q2ebanking and ATSEC Information Security.