Securing Serverless - By Breaking In

•

0 likes•448 views

Guy Podjarny breaks into a vulnerable serverless application and exploits multiple weaknesses, helping better understand some of the mistakes people make, their implications, and how to avoid them. Video available on: https://www.infoq.com/presentations/serverless-security-2017

snyk.io
Securing Serverless -  
By Breaking In
Guy Podjarny, Snyk
@guypod

snyk.io
About Me
• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History:
• Cyber Security part of Israel Defense Forces
• First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan)
• Security: Worked in Sanctum -> Watchﬁre -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker

snyk.io
Serverless Security: The Theory 
(talk from ServerlessConf)
https://www.youtube.com/watch?v=CiyUD_rI8D8
https://www.infoq.com/articles/serverless-security

snyk.io
Agenda
• Show a demo serverless app
• Hack it
• Explain the security ﬂaws and how to ﬁx them
• Summary
• Q&A

snyk.io
Example: Fetch ﬁle & store in s3
(Serverless Framework Example)
19 Lines of Code
2 Direct dependencies
19 dependencies(incl. indirect)
191,155 Lines of Code

snyk.io
Serverless does secure 
OS dependencies
Just not app dependencies

snyk.io
1. Beware Vulnerable Libraries 
(test during dev, monitor over time)

snyk.io
Side Note: 
Snyk isn’t only for Serverless

snyk.io
2. ReDoS can still be costly 
(won’t take you down, but can hike up bill)

snyk.io
Beware 
Resource Exhaustion Attacks
Not all your services elastically scale

snyk.io
3. Avoid secrets in deployed code 
(env variables aren’t enough - Use a KMS!)

snyk.io
Serverless platforms oﬀer a 
Key Management System
Just use it!

snyk.io
4. Deploy granular functions 
(shared function code = greater exposure)

snyk.io
AWS Security Policy
Easier
Policy 3Policy 2
Policy 1
Safer

snyk.io
5. Use Granular Policies 
(only allow each function its minimum permissions)

snyk.io
A function is a perimeter
That needs to be secured
Perimeter Perimeter
Perimeter
Perimeter
Perimeter

snyk.io
6. Don’t rely on immutability 
(Lambda - and others - reuse servers)

snyk.io
Serverless user is typically 
Low Privilege
Reducing impact substantially, but not eliminating it

snyk.io
7. Worry about all functions 
(Every available function increases your attack surface)

snyk.io
Summary
1. Beware vulnerable libraries
2. ReDoS can still be costly
3. Avoid secrets in deployed code
4. Deploy granular functions
5. Use Granular Permissions
6. Don’t rely on immutability
7. Worry about all functions

snyk.io
Serverless is deﬁned now. 
Let’s build Security in.
Thank You!
Guy Podjarny, Snyk
@guypod

What's hot

Why should developers care about container security?

Eric Smalling

Security in CI/CD Pipelines: Tips for DevOps Engineers

DevOps.com

While DevOps is becoming a new norm for most of the companies, security is typically still behind. The new architectures create a number of new process considerations and technical issues. In this practical talk, we will present an overview of the practical issues that go into making security a part of DevOps processes. Will cover incorporating security into existing CI/CD pipelines and tools DevOps professionals need to know to implement the automation and adhere to secure coding practices. Join Stepan Ilyin, Chief Product Officer at Wallarm for an engaging conversation where you’ll learn: Methodologies and tooling for dynamic and static security testing Composite and OSS license analysis benefits Secrets and analysis and secrets management approaches in distributed applications Security automation and integration in CI/CD Apps, APIs and workloads protection in cloud-native K8s enabled environments

The Future of Security and Productivity in Our Newly Remote World

DevOps.com

Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated. This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks. See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.

Henrique Dantas - API fuzzing using Swagger

DevSecCon

The document discusses API security testing using Swagger specifications. It notes that APIs are good targets for security testing due to their closeness to databases and ubiquity. The solution presented involves automating security testing of APIs by leveraging existing Swagger specifications in a Python library, which allows for extensive and extendible fuzzing of APIs while integrating results and providing reports. The library uses the popular Swagger and Sulley tools for fuzzing.

360° Kubernetes Security: From Source Code to K8s Configuration Security

DevOps.com

Kubernetes has become the default way for many organizations to scale and orchestrate their use of containers. However, organizations are starting to find themselves needing to take the necessary steps to protect their containers. Automating security checks throughout the development life cycle can help reduce risk and allow organizations to develop and deploy securely. Join Shiri Ivstan, Senior Product Manager at WhiteSource and Yaniv Peleg Tsabari, Senior Director of Product Management at Alcide, as they explore the world of security in Kubernetes and discuss: The security risks associated with open-source code and Kubernetes environments Supply Chain: Continuous Security throughout the CI/CD pipeline Security aspects throughout the development cycle, such as Image Scanning, Image Assurance, K8s Configuration hygiene and more. How to automate policies with respect to the above techniques throughout the CI/CD pipeline in order to facilitate more secure application deployments.

Lacework | Top 10 Cloud Security Threats

Lacework

James Condon presented the top 10 threats to cloud security. These included cryptojacking, data leaks from misconfigurations, SSH brute force attacks, data exfiltration by advanced persistent threats, malware like ransomware and coin miners, remote code execution from vulnerabilities, container escapes, server compromises, and malicious insiders. Mitigations involved visibility, access controls, patching, monitoring, and security best practices.

Alfredo Reino - Monitoring aws and azure

DevSecCon

This document provides an overview of monitoring Azure and AWS cloud environments. It discusses why monitoring is important for threat detection, hunting and response. It outlines what aspects should be monitored, including operating systems, applications, network traffic, and cloud service logs. Specific AWS and Azure monitoring options are described, such as CloudTrail, VPC Flow Logs, and Azure Audit Logs. Integrating cloud logs with SIEMs and threat intelligence feeds is also covered. Endpoint monitoring tools are suggested to record process, file, registry and network activity on virtual machines.

DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...

Lacework

AllDayDevOps 2019 AppSensor

jtmelton

Modern applications can protect themselves from attackers by incorporating runtime monitoring capabilities. The OWASP AppSensor project aims to make intrusion detection primitives available within applications so they can detect attacks and automatically respond before an attacker succeeds. It works by collecting event data from applications and analyzing them for attacks using configurable rules. This allows applications to become self-defending by detecting and stopping attackers without needing manual responses.

All Your Containers Are Belong To Us

Lacework

Aleksei Dremin - Application Security Pipeline - phdays9

Alexey Dremin

This document discusses setting up an application security pipeline for continuous integration and delivery (CI/CD). It recommends using static application security testing (SAST) tools, dependency checkers, source code scanners, dynamic application security testing (DAST) tools, and integrating them with Jenkins. It also suggests managing vulnerabilities and results in DefectDojo and notifying stakeholders of new findings through integration with communication tools like Slack. The document stresses the importance of educating developers on security best practices.

DevSecOps | DevOps Sec

Rubal Jain

AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...

Lacework

This document provides an overview of automated end-to-end security for AWS. It discusses how the majority of compromises are due to credentials being compromised, failure to patch security flaws, insider threats, or human error. An example compromise is described where a developer at a company accidentally committed SSH keys to GitHub, allowing a hacker to access servers and exfiltrate customer data, resulting in a $148 million settlement. The document then outlines how Lacework can help secure workloads, containers, configuration, AWS accounts, and provide continuous auditing and compliance.

Hacking into your containers, and how to stop it!

Eric Smalling

This document discusses hacking into containers and how to stop it. It begins with an overview of increased security responsibilities for developers as containers add operating system level concerns. It then demonstrates hacking techniques and defenses that can be used in depth, such as minimizing images, not running as root, read only root filesystems, secrets management, and network policies. Key takeaways are that fast security feedback is important for developers and implementing known secure practices for building and running containers can help mitigate vulnerabilities.

Secure Your Code Implement DevSecOps in Azure

kloia

BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back

Lacework

Lacework Kubernetes Meetup | August 28, 2018

Lacework

The document discusses container and cloud security. It describes Lacework's Polygraph security platform, which provides threat intelligence, detection, visibility, and alerting capabilities across cloud infrastructure, workloads, accounts, VMs, containers and files. It highlights risks like container escapes and privilege escalation. The document also provides examples of container security threats like the Healthz RCE vulnerability and recommendations like implementing multi-factor authentication, pod security policies, and restricting privileges.

DevSecOps in Baby Steps

Priyanka Aash

You Build It, You Secure It: Introduction to DevSecOps

Sumo Logic

PKI in DevOps: How to Deploy Certificate Automation within CI/CD

DevOps.com

DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments. Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss: How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.) The risks of unmanaged or untracked certificates in DevOps environments Best practices to support visibility, compliance and automation of certificates in CI/CD

What's hot (20)

Why should developers care about container security?

Security in CI/CD Pipelines: Tips for DevOps Engineers

The Future of Security and Productivity in Our Newly Remote World

Henrique Dantas - API fuzzing using Swagger

360° Kubernetes Security: From Source Code to K8s Configuration Security

Lacework | Top 10 Cloud Security Threats

Alfredo Reino - Monitoring aws and azure

DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...

AllDayDevOps 2019 AppSensor

All Your Containers Are Belong To Us

Aleksei Dremin - Application Security Pipeline - phdays9

DevSecOps | DevOps Sec

AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...

Hacking into your containers, and how to stop it!

Secure Your Code Implement DevSecOps in Azure

BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back

Lacework Kubernetes Meetup | August 28, 2018

DevSecOps in Baby Steps

You Build It, You Secure It: Introduction to DevSecOps

PKI in DevOps: How to Deploy Certificate Automation within CI/CD

Similar to Securing Serverless - By Breaking In

Serverless Security: What's Left to Protect?

Guy Podjarny

Slides from my ServerlessConf Austin 2017. Serverless means handing off server management to the cloud platforms - along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot. This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe

Secure Node Code (workshop, O'Reilly Security)

Guy Podjarny

Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.

AusCERT - Developing Secure iOS Applications

eightbit

Michael Gianarakis' presentation discusses developing secure iOS applications. It provides an overview of the iOS application attack surface and common security issues. It outlines secure design principles such as not trusting the client/runtime, understanding the app's risk profile, implementing anti-debugging controls, jailbreak detection, and address space validation. The presentation aims to help developers design apps that are secure against common attacks.

Securing Serverless by Breaking in

C4Media

Guy Podjarny from Snyk gave a presentation on securing serverless applications. He demonstrated vulnerabilities in a sample serverless app and how to fix them. The main security issues discussed were vulnerable dependencies, denial of service attacks from regular expression denial of service (ReDoS) vulnerabilities, secrets in code, granular permissions and functions, and immutable servers being reused. Podjarny emphasized testing for vulnerabilities, using key management systems, deploying narrowly-scoped functions, and monitoring functions over time.

Proactive Security AppSec Case Study

Andy Hoernecke

Application security meetup k8_s security with zero trust_29072021

lior mazor

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Ajin Abraham

Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported. Tizen IVI (in-vehicle infotainment) Tizen Mobile Tizen TV, and Tizen Wearable Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained. The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen. For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc. Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.

(SEC202) Best Practices for Securely Leveraging the Cloud

Amazon Web Services

Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continual. As with any paradigm shift, cloud computing requires different rules and a different way of thinking. This presentation will highlight best practices to build and secure scalable systems in the cloud and capitalize on the cloud with confidence and clarity. In this session we will cover: Key market drivers and advantages for leveraging cloud architectures. Foundational design principles to guide strategy for securely leveraging the cloud. The “Defense in Depth” approach to building secure services in the cloud, whether it’s private, public, or hybrid. Real-world customer insights from organizations who have successfully adopted the ""Defense in Depth"" approach. Session sponsored by Sumo Logic.

Webinar–Mobile Application Hardening Protecting Business Critical Apps

Synopsys Software Integrity Group

During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window. For more information, please visit our website at www.synopsys.com/software

Microservices and Devs in Charge: Why Monitoring is an Analytics Problem

SignalFx

Presented at GlueCon 2015. This presentation discusses SignalFx CTO and co-founder Phillip Liu's experience operating infrastructure and apps at massive scale and what drove the realization that monitoring is fundamentally an analytics problem now. Following on the heels of Adrian Cockroft's keynote that morning, Monitoring Microservices and Containers, this presentation went over real world examples of how modern monitoring for microservices wroks.

Why monitoring is an analytics problem

Phillip Liu

SignalFx uses an analytics approach to monitoring microservices. They instrument each microservice to collect metrics and log exceptions. All data is sent to an analytics service for analysis and detection of issues. For example, when a code push caused unexpected timeouts in an upstream service, SignalFx was able to quickly identify the outlier service through exception analysis, narrow down the problem to a specific exception, and find the root cause in just 15 minutes. Their analytics approach helps reduce mean time to resolution compared to traditional monitoring.

Runtime Analysis on Mobile Applications (February 2017)

Sandeep Jayashankar

The Need for a More Effective Penetration Test” Generally, reviewing a mobile application for security vulnerabilities include areas such as local storage, cryptographic usage, mobile traffic analysis, black box static analysis, etc. The methods and tools which are typically used to conduct these reviews are outdated, difficult to properly configure and/or use, and in many instances provide an incomplete picture. The easiest way sometimes would be to review the application while it is running, as it would provide a better understanding of the application’s behavior. However, debugging tools such as “gdb”, “jdb/jdwp”, and “adb” require significant manual time to analyze the application. And if we have to change the application’s normal behavior for bypassing any security controls, we have to decompile the application, edit the code, and rebuild the application. In this presentation, we will understand more effective methods of conducting runtime analysis on both iOS and Android applications, utilizing tools which monitor runtime behavior. We will also cover how hooking/runtime tools like “cycript” and “MobileSubstrate” work, and briefly discuss how these can be used to bypass controls such as built-in application safeguards, jailbreak detection, and certificate pinning. In addition, we will also discuss venues of attack vectors which may open up while testing the application at runtime. We will aim to deduce that, by including runtime analysis as part of our penetration testing methodology, we will save time while performing it more effectively.

Introduction to Android Development and Security

Kelwin Yang

This document provides an introduction to Android development and security. It begins with a brief history of Android and overview of its architecture. It then discusses the Android development environment and process, including key tools and frameworks. It also outlines Android security features like application sandboxing, permissions, and encryption. Finally, it introduces a series of Android security labs that demonstrate exploits like parameter manipulation, insecure storage, and memory attacks. The goal is to provide hands-on examples of common Android vulnerabilities.

Laying the Foundation for Ionic Platform Insights on Spark

Ionic Security

The document discusses Ionic Security's use of Spark and Databricks to enable low-cost and flexible reporting from their transaction log data. Some key goals were reducing costs from their previous Elasticsearch solution, enabling quick development of domain-specific reports, and laying the foundation for advanced analytics. They built a Scala Spark job that ingests log data from S3 and runs configurable report queries to output results. This allows flexible querying while keeping costs low. Lessons learned included benefits of Scala for Spark development but its learning curve, advantages of a single uber jar workflow, and pushing complex logic into Spark user-defined functions.

Wahckon[2] - iOS Runtime Hacking Crash Course

eightbit

This document provides an introduction to runtime hacking on iOS. It discusses setting up the environment, mapping out an application by decrypting and dumping binaries to obtain class information. It then covers techniques for dumping and modifying variables at runtime like retrieving sensitive user data. Methods for manipulating functions are also presented, such as bypassing authentication or jailbreak detection. Persistence techniques like injecting libraries are explained. Finally, it addresses considerations for hacking Swift applications. The overall goal is to quickly get people up to speed on runtime analysis and manipulation of third-party iOS apps.

AWS Loft Talk: Behind the Scenes with SignalFx

SignalFx

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Ajin Abraham

Tizen is an open source operating system that can run on various devices including smart TVs and IoT devices. It uses a security model that isolates applications using SMACK mandatory access control and enforces content security policies for web applications. The presentation discusses hacking techniques tested against Tizen like exploiting shellshock vulnerabilities, bypassing address space layout randomization protections, and circumventing content security policies. It also provides an overview of methodologies for analyzing Tizen application security like static analysis of manifest and configuration files, decompiling native applications, and network analysis using a proxy. Overall the presentation evaluates the security of Tizen and highlights some implementation issues found.

Stranger Danger (NodeSummit, 2016)

Guy Podjarny

DEF CON 24 - Dinesh and Shetty - practical android application exploitation

Felipe Prado

The document provides an overview of a workshop on practical Android application exploitation. The workshop aims to teach skills for performing reverse engineering, static and dynamic testing, and binary analysis of Android applications. It will use demonstrations and hands-on exercises with custom applications like InsecureBankv2. The workshop focuses on discovery and remediation, targeting intermediate to advanced skill levels. It will cover tools, techniques, and common vulnerabilities to exploit Android applications.

apidays New York 2023 - Putting yourself out there - how to secure your publi...

apidays

apidays New York 2023 APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media May 16 & 17, 2023 Putting yourself out there - how to secure your public APIs Dan Erez, Architecture Team Lead at AT&T ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Similar to Securing Serverless - By Breaking In (20)

Serverless Security: What's Left to Protect?

Secure Node Code (workshop, O'Reilly Security)

AusCERT - Developing Secure iOS Applications

Securing Serverless by Breaking in

Proactive Security AppSec Case Study

Application security meetup k8_s security with zero trust_29072021

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

(SEC202) Best Practices for Securely Leveraging the Cloud

Webinar–Mobile Application Hardening Protecting Business Critical Apps

Microservices and Devs in Charge: Why Monitoring is an Analytics Problem

Why monitoring is an analytics problem

Runtime Analysis on Mobile Applications (February 2017)

Introduction to Android Development and Security

Laying the Foundation for Ionic Platform Insights on Spark

Wahckon[2] - iOS Runtime Hacking Crash Course

AWS Loft Talk: Behind the Scenes with SignalFx

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Stranger Danger (NodeSummit, 2016)

DEF CON 24 - Dinesh and Shetty - practical android application exploitation

apidays New York 2023 - Putting yourself out there - how to secure your publi...

More from Guy Podjarny

Stranger Danger: Securing Third Party Components (Tech2020)

Guy Podjarny

Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system. This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.

High Performance Images: Beautiful Shouldn't Mean Slow (Velocity EU 2015)

Guy Podjarny

The web is becoming increasingly image rich. Between high-resolution mobile screens, Pinterest-style design, and big background graphics, the average image payload has more than doubled in the last three years. While visually appealing, these images carry a substantial performance cost, and — if not optimized correctly — can make a web experience slow and painful, no matter how beautiful it is. In this tutorial we’ll discuss ways that let you provide the eye-pleasing experience you want without sacrificing your site’s performance.You’ll learn about the three primary aspects of image optimization: - Image compression: how to best encode your images, delivering the same picture with the fewest bytes - Image loading: once your files are as small as they can be, we’ll cover the best ways to make them show up quickly in the browser - Operationalizing image optimization: different tools and techniques for integrating image optimization on your site Talk given at Velocity Conf EU 2015: http://velocityconf.com/devops-web-performance-eu-2015/public/schedule/detail/45013

HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)

Guy Podjarny

When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust. If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS. This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS

High Performance Images: Beautiful Shouldn't Mean Slow

Guy Podjarny

(slides from the O'Reilly webcast, see recording here: http://www.oreilly.com/pub/e/3425) The web is becoming increasingly image rich. Between high-resolution mobile screens, Pinterest-style design and big background graphics, the average image payload has more than doubled in the last three years. While visually appealing, these images carry a substantial performance cost, and — if not optimized correctly — can make a web experience slow and painful, no matter how beautiful it is. These slides discuss how you can provide the eye-pleasing experience you want without sacrificing your site's performance. You'll learn about the three primary aspects of image optimization: Image Compression: How to best encode your images, delivering the same picture with the fewest bytes. Image Loading: Once your files are as small as they can be, we'll cover the best ways to make them show up quickly in the browser. Image Operations: Different tools and techniques for integrating image optimization on your site.

Responsive In The Wild, 2014

Guy Podjarny

Slides from my Web Directions South 2014 Talk. Abstract: Responsive Web Design (RWD) is upon us, and it seems like every website has either gone responsive or planning to do so. And in this rush to implement – performance is left behind… Last November (2013), I ran a test identifying the responsive websites amongst the top 10,000 sites, and inspected their performance traits. The results were depressing, showing many sites have gone responsive, and hardly any tackled performance. In this talk, we’ll track the progress (or lack there of) we made as an industry. We’ll look at the results of a new test, tracking our progress in adopting RWD and – more importantly – in addressing its performance implications. We’ll share high level stats, highlight key trends, drill into representative examples, and come away with a better understanding of what we should be doing better, both on our own sites and as an industry

Third Party Performance (Velocity, 2014)

Guy Podjarny

Third party components are a part of any modern site: JS libs, analytics, trackers, share buttons, ads. Many components, each adding its performance cost, cause render delays or can effectively take your site down. This isn’t your code nor your servers, so what can you do about it? This presentation will answer this question with strategies and tactics for keeping 3rd parties from taking you down. This talk was given at Velocity Santa Clara, 2014: The presentation from Velocity Santa Clara, 2014 (http://velocityconf.com/velocity2014/public/schedule/detail/35448).

Rules driven-delivery

Guy Podjarny

This document discusses how a URL is no longer sufficient for content delivery given modern dynamic web pages. It proposes implementing "rules driven delivery" where delivery definitions are structured as reusable, hierarchical rules that define criteria for when to apply delivery behaviors. These rules would be pushed to CDN edges to enable offloading and improve performance over simply relying on URLs and caching. Examples of rules provided include redirecting mobile users, image format negotiation based on Accept headers, and granular caching based on request header values. The goal is more flexible content delivery and caching optimized for a wide variety of dynamic web page scenarios.

Responsive In The Wild (SmashingConf, 2014)

Guy Podjarny

Awareness to Responsive Web Design has grown substantially over the last few years, and practically any major organization has some RWD project in their Mobile Strategy decks. However, are we just talking about it, or actually doing it? I ran a mass test to identify the responsive websites amongst the top 100,000 websites in the world. Eventually, we'll be able to rerun this test to track RWD adoption over time, but for now we can use it to see how RWD sites compare to each other and to non-RWD sites. This short presentation, given over beers at the awesome SmashingConf, shares some such insights. A (slightly smaller) but more detailed description of the test can be found here: www.guypo.com/mobile/roughly-1-in-8-websites-is-responsive/

Putting Your Images on a Diet (SmashingConf, 2014)

Guy Podjarny

Images are quickly becoming one of the most critical factors for web performance. On one hand, users are demanding more visual websites, driving an increase in the number of images on a page and making background images cool again. On the other hand, technology trends such as Retina displays and RWD are making it much harder to choose the right image to download at any given time, avoiding the download of excess bytes. In this talk, I go over what you can do to maximize the impact of every image byte. I explain the concept of Image Compression, understand how it applies to different image formats, and show the tools and techniques you should use to communicate the best visuals with the fewest bytes. Lastly, I show how to combine image compression and Retina displays, and discuss some newer image formats and how you can take advantage of them today

Third party-performance (Airbnb Nerds, Nov 2013)

Guy Podjarny

Almost every site on the internet today serves 3rd-party assets and code - jQuery, analytics, trackers, share buttons, ads - from both their own servers and others - cloud providers, dedicated hardware, CDNs, google hosting. These third parties can have a significant effect on performance, delaying the load event, deferring actions, and being a single point of failure beyond your control. This deck discusses techniques and strategies for working with 3rd parties within these limitations, and shares some relevant community work.

Third Party Performance

Guy Podjarny

A Picture Costs A Thousand Words

Guy Podjarny

Images seem simple - they're static, independent from each other, and don't mess up the DOM. However, images make up 60%-70% of page bytes, and their visual nature makes them critical for user experience. Investing in Image Optimization is a highly worthwhile investment. This presentation covers 4 aspects of Image Optimization: - Optimizing Image formats (including background on GIF, PNG, JPEG, WebP, JPEG XR and more) - Optimizing image delivery - Optimizing image loading in the page - Responsive Images - optimizing images for mobile screens

Step by Step Mobile Optimization

Guy Podjarny

(A presentation given at Velocity Conference, London 2012) Mobile Optimization is complicated, and there’s no single silver bullet. Many different bottlenecks take their toll along the way, and while some have a huge impact, others still add up. In this presentation, we’ll take a website and optimize it step by step. In each step we’ll touch on a problem, discuss how to solve it – perhaps in multiple ways – and show the effect of the solution. In the process, we’ll also touch on topics such as measuring mobile performance, differences between browsers, and which pitfalls are common

Quantifying The Mobile Difference

Guy Podjarny

Performance Implications of Mobile Design (Perf Audience Edition)

Guy Podjarny

(This version of the presentation is oriented at a web performance audience, and includes some mobile design 101 content) Mobile Web Design is complicated, and several design paradigms have been created to help deal with the challenges the mobile landscape creates. Amongst other implications, each paradigm also carries its own performance pitfalls, which can turn a well designed site into a horribly slow user experience. This presentation covers the top design paradigms - Dedicated Websites (mdot) and Responsive Web Design, gives some background on each, and digs into the performance do's and don'ts for your design of choice.

Performance Implications of Mobile Design

Guy Podjarny

Unravelling Mobile Web Performance

Guy Podjarny

The Mobile Web is a complicated beast, making Mobile Web Performance a tough problem to tackle. Is an iPad on WiFi a part of the Mobile Web? How about a laptop with a 3G stick? This presentation tries to split the Mobile Web into three categories, to make it more manageable: Network, Software & Hardware. For each, it reviews the performance challenges this category entails, and offers possible solutions to those challenges. A recording of this presentation (with audio) is available here: http://vimeo.com/32917131

State Of Mobile Web Performance

Guy Podjarny

More from Guy Podjarny (18)

Stranger Danger: Securing Third Party Components (Tech2020)

High Performance Images: Beautiful Shouldn't Mean Slow (Velocity EU 2015)

HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)

High Performance Images: Beautiful Shouldn't Mean Slow

Responsive In The Wild, 2014

Third Party Performance (Velocity, 2014)

Rules driven-delivery

Responsive In The Wild (SmashingConf, 2014)

Putting Your Images on a Diet (SmashingConf, 2014)

Third party-performance (Airbnb Nerds, Nov 2013)

Third Party Performance

A Picture Costs A Thousand Words

Step by Step Mobile Optimization

Quantifying The Mobile Difference

Performance Implications of Mobile Design (Perf Audience Edition)

Performance Implications of Mobile Design

Unravelling Mobile Web Performance

State Of Mobile Web Performance

Recently uploaded

How Social Media Hackers Help You to See Your Wife's Message.pdf

HackersList

Quality Patents: Patents That Stand the Test of Time

Aurora Consulting

Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality. Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality. Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality. Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank? ** Episode Overview ** In this first episode of our quality series, Kristen Hansen and the panel discuss: ⦿ What do we mean when we say patent quality? ⦿ Why is patent quality important? ⦿ How to balance quality and budget ⦿ The importance of searching, continuations, and draftsperson domain expertise ⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications https://www.aurorapatents.com/patently-strategic-podcast.html

Manual | Product | Research Presentation

welrejdoall

Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...

Bert Blevins

Today’s digitally connected world presents a wide range of security challenges for enterprises. Insider security threats are particularly noteworthy because they have the potential to cause significant harm. Unlike external threats, insider risks originate from within the company, making them more subtle and challenging to identify. This blog aims to provide a comprehensive understanding of insider security threats, including their types, examples, effects, and mitigation techniques.

Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops

Mydbops

This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization. Key Takeaways: * Understand why connection pooling is essential for high-traffic applications * Explore various connection poolers available for PostgreSQL, including pgbouncer * Learn the configuration options and functionalities of pgbouncer * Discover best practices for monitoring and troubleshooting connection pooling setups * Gain insights into real-world use cases and considerations for production environments This presentation is ideal for: * Database administrators (DBAs) * Developers working with PostgreSQL * DevOps engineers * Anyone interested in optimizing PostgreSQL performance Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services

Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...

Chris Swan

Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge. You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter. The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.

20240704 QFM023 Engineering Leadership Reading List June 2024

Matthew Sinclair

What’s New in Teams Calling, Meetings and Devices May 2024

Stephanie Beckett

WPRiders Company Presentation Slide Deck

Lidia A.

YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well. Some facts about WPRiders and why we are one of the best firms around: More than 700 five-star reviews! You can check them here. 1500 WordPress projects delivered. We respond 80% faster than other firms! Data provided by Freshdesk. We’ve been in business since 2015. We are located in 7 countries and have 22 team members. With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce. Our team members are: - highly experienced developers (employees & contractors with 5 -10+ years of experience), - great designers with an eye for UX/UI with 10+ years of experience - project managers with development background who speak both tech and non-tech - QA specialists - Conversion Rate Optimisation - CRO experts They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals. At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.

WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf

ArgaBisma

UiPath Community Day Kraków: Devs4Devs Conference

UiPathCommunity

We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner! We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too! Check out our proposed agenda below 👇👇 08:30 ☕ Welcome coffee (30') 09:00 Opening note/ Intro to UiPath Community (10') Cristina Vidu, Global Manager, Marketing Community @UiPath Dawid Kot, Digital Transformation Lead @Proservartner 09:10 Cloud migration - Proservartner & DOVISTA case study (30') Marcin Drozdowski, Automation CoE Manager @DOVISTA Pawel Kamiński, RPA developer @DOVISTA Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner 09:40 From bottlenecks to breakthroughs: Citizen Development in action (25') Pawel Poplawski, Director, Improvement and Automation @McCormick & Company Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company 10:05 Next-level bots: API integration in UiPath Studio (30') Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner 10:35 ☕ Coffee Break (15') 10:50 Document Understanding with my RPA Companion (45') Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath 11:35 Power up your Robots: GenAI and GPT in REFramework (45') Krzysztof Karaszewski, Global RPA Product Manager 12:20 🍕 Lunch Break (1hr) 13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30') Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance 13:50 Communications Mining - focus on AI capabilities (30') Thomasz Wierzbicki, Business Analyst @Office Samurai 14:20 Polish MVP panel: Insights on MVP award achievements and career profiling

find out more about the role of autonomous vehicles in facing global challenges

huseindihon

Best Programming Language for Civil Engineers

Awais Yaseen

The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era. Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.

Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...

Erasmo Purificato

How to Build a Profitable IoT Product.pptx

Adam Dunkels

Research Directions for Cross Reality Interfaces

Mark Billinghurst

BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL

Liveplex

Cookies program to display the information though cookie creation

shanthidl1

20240702 QFM021 Machine Intelligence Reading List June 2024

Matthew Sinclair

Password Rotation in 2024 is still Relevant

Bert Blevins

Recently uploaded (20)

How Social Media Hackers Help You to See Your Wife's Message.pdf

Quality Patents: Patents That Stand the Test of Time

Manual | Product | Research Presentation

Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...

Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops

Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...

20240704 QFM023 Engineering Leadership Reading List June 2024

What’s New in Teams Calling, Meetings and Devices May 2024

WPRiders Company Presentation Slide Deck

WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf

UiPath Community Day Kraków: Devs4Devs Conference

find out more about the role of autonomous vehicles in facing global challenges

Best Programming Language for Civil Engineers

Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...

How to Build a Profitable IoT Product.pptx

Research Directions for Cross Reality Interfaces

BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL

Cookies program to display the information though cookie creation

20240702 QFM021 Machine Intelligence Reading List June 2024

Password Rotation in 2024 is still Relevant

Securing Serverless - By Breaking In

1. snyk.io Securing Serverless -   By Breaking In Guy Podjarny, Snyk @guypod

2. snyk.io About Me • Guy Podjarny, @guypod on Twitter • CEO & Co-founder at Snyk • History: • Cyber Security part of Israel Defense Forces • First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan) • Security: Worked in Sanctum -> Watchﬁre -> IBM • Performance: Founded Blaze -> CTO @Akamai • O’Reilly author, speaker

3. snyk.io Serverless Security: The Theory  (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security

4. snyk.io Today - straight to practice!

5. snyk.io Agenda • Show a demo serverless app • Hack it • Explain the security ﬂaws and how to ﬁx them • Summary • Q&A

6. snyk.io Introducing our app…

7. snyk.io Vulnerable Libraries

8. snyk.io Example: Fetch ﬁle & store in s3 (Serverless Framework Example) 19 Lines of Code 2 Direct dependencies 19 dependencies(incl. indirect) 191,155 Lines of Code

9. snyk.io

10. snyk.io Serverless does secure  OS dependencies Just not app dependencies

11. snyk.io 1. Beware Vulnerable Libraries  (test during dev, monitor over time)

12. snyk.io Side Note:  Snyk isn’t only for Serverless

13. snyk.io Denial of Service

14. snyk.io 2. ReDoS can still be costly  (won’t take you down, but can hike up bill)

15. snyk.io Beware  Resource Exhaustion Attacks Not all your services elastically scale

16. snyk.io Secrets

17. snyk.io 3. Avoid secrets in deployed code  (env variables aren’t enough - Use a KMS!)

18. snyk.io Serverless platforms oﬀer a  Key Management System Just use it!

19. snyk.io Granularity

20. snyk.io 4. Deploy granular functions  (shared function code = greater exposure)

21. snyk.io AWS Security Policy Easier Policy 3Policy 2 Policy 1 Safer

22. snyk.io Permissions

23. snyk.io 5. Use Granular Policies  (only allow each function its minimum permissions)

24. snyk.io A function is a perimeter That needs to be secured Perimeter Perimeter Perimeter Perimeter Perimeter

25. snyk.io Immutability

26. snyk.io 6. Don’t rely on immutability  (Lambda - and others - reuse servers)

27. snyk.io Serverless user is typically  Low Privilege Reducing impact substantially, but not eliminating it

28. snyk.io 7. Worry about all functions  (Every available function increases your attack surface)

29. snyk.io Summary 1. Beware vulnerable libraries 2. ReDoS can still be costly 3. Avoid secrets in deployed code 4. Deploy granular functions 5. Use Granular Permissions 6. Don’t rely on immutability 7. Worry about all functions

30. snyk.io Serverless Security: The Theory  (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security

31. snyk.io Serverless is deﬁned now.  Let’s build Security in. Thank You! Guy Podjarny, Snyk @guypod

Securing Serverless - By Breaking In

More Related Content

What's hot

What's hot (20)

Similar to Securing Serverless - By Breaking In

Similar to Securing Serverless - By Breaking In (20)

More from Guy Podjarny

More from Guy Podjarny (18)

Recently uploaded

Recently uploaded (20)

Securing Serverless - By Breaking In