Program of JAX New York is The Conference for Software Architects & Leaders.
MASTER SOFTWARE DESIGN & ARCHITECTURAL CHALLENGES
In our global economy, software systems are becoming increasingly complex. Therefore, requiring leading edge systems to be carefully designed based on established architectural experience and the latest software knowledge.
LEARN FROM SKILLED THOUGHT LEADERS
At JAX, we met engineering experts and thought leaders who provided thought-provoking insights into their clients’ software architectures. Benefit from their accumulated experience and practical knowledge acquired from mastering various technical challenges.
“Putting the Sec in DevSecOps for an AWS Lambda Based System” by Craeg Strong
October 9, 2024 – 11:45 AM – 12:30 PM
Session Description
What does it mean to implement zero-trust and DevSecOps principles in a serverless environment? This is our story of hardening an AWS application based on serverless architecture. It all began with an idea for a brand-new plugin for the Atlassian Jira Agile tool. Our plugin uses an innovative design based on GoLang, AWS Athena, Lambdas, and DynamoDB, and the Atlassian AtlasKit SDK for ReactJS. Serverless applications have many nice features that help make them secure. Lambdas get their credentials injected at runtime, eliminating the need to store keys or credentials. Our SSO solution improves security still further, by creating temporary credentials for every session, eliminating static keys and credentials. Given this excellent foundation, we thought our MVP was ready for production! Alas, how mistaken we were…
In order to meet Atlassian’s strict cybersecurity guidelines, we implemented security tools including GitHub’s dependabot, AWS credential management services, AWS app firewall, gosec, ZAP tester, and Nessus. We will discuss lessons learned and what was unique to the serverless environment. We will also cover privilege audits, data, and disaster recovery.
Using serverless architecture confers many benefits, and by reducing the attack surface, they can be inherently more secure than alternative architectures. Nevertheless, there are important steps that must be taken to further improve security. This talk will shed light on how to get where we need to be.
