What does it mean to implement zero-trust and DevSecOps principles in a serverless environment? This is our story of hardening an AWS application based on serverless architecture. It all began with an idea for a brand-new plugin for the Atlassian Jira Agile tool. Our plugin uses an innovative design based on GoLang, AWS Athena, Lambdas, and DynamoDB, and the Atlassian AtlasKit SDK for ReactJS. Serverless applications have many nice features that help make them secure. Lambdas get their credentials injected at runtime, eliminating the need to store keys or credentials. Our SSO solution improves security still further, by creating temporary credentials for every session, eliminating static keys and credentials. Given this excellent foundation, we thought our MVP was ready for production! Alas, how mistaken we were...
In order to meet Atlassian’s strict cybersecurity guidelines, we implemented security tools including GitHub’s dependabot, AWS credential management services, AWS app firewall, gosec, ZAP tester, and Nessus. We will discuss lessons learned and what was unique to the serverless environment. We will also cover privilege audits, data, and disaster recovery.
Using serverless architecture confers many benefits, and by reducing the attack surface, they can be inherently more secure than alternative architectures. Nevertheless, there are important steps that must be taken to further improve security. This talk will shed light on how to get where we need to be