Building and maintaining complex distributed systems
June 19–20, 2017: Training
June 20–22, 2017: Tutorials & Conference
San Jose, CA

Serverless security: A pragmatic primer for builders and defenders

James Wickett (Verica)
1:15pm–1:55pm Thursday, June 22, 2017
Location: LL21 E/F
Level: Intermediate
Average rating: ****.
(4.33, 3 ratings)

Who is this presentation for?

  • Engineers and architects

Prerequisite knowledge

  • Familiarity with the command line
  • A basic understanding of Amazon Cloud and any programming language (All the examples will be in Go.)

What you'll learn

  • Learn how to build a complete serverless application (with the code provided as open source) and how to secure it
  • Explore practical security approaches for serverless in four key areas—the software supply chain, the delivery pipeline, data flow, and attack detection


Serverless is the design pattern for writing applications at scale without the necessity of managing infrastructure. This is done across the continuum of the cloud—from storage as a service to database as a service—but the center of serverless is functions as a service (FaaS). (Current FaaS offerings include AWS Lambda, Azure Functions, and Google Cloud Functions.) Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.

Serverless adds simplicity and a new economic model to cloud computing, but it creates some unique security challenges. In serverless architectures, technologies like antivirus and intrusion detection become meaningless. James Wickett explores practical security approaches for serverless in four key areas—the software supply chain, the delivery pipeline, data flow, and attack detection—and examines how traditional approaches need to be adapted to serverless.

Even if you don’t have any experience with serverless, don’t worry; this session starts with the basics. You’ll learn what serverless is (hint: it’s still being defined) and practical patterns for serverless adoption.

Photo of James Wickett

James Wickett


James Wickett is head of research at Signal Sciences, where he works at the intersection of the DevOps and security communities. James is a supporter of the Rugged Software and Rugged DevOps movements. Seeing the gap in software testing, James founded Gauntlt, an open source project, to serve as a Rugged testing framework. He is the author of Hands-on Gauntlt and DevOps Fundamentals on James got his start in technology when he founded a startup as a student at the University of Oklahoma. He has worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. He is a dynamic speaker on topics in DevOps, infosec, cloud security, security testing, Rugged DevOps, and serverless. James is the creator and founder of the Lonestar Application Security Conference, the largest annual security conference in Austin, Texas. He also runs DevOps Days Austin and is on the global DevOps Days board. James holds several security certifications, including CISSP and GWAPT. In his spare time, he’s trying to learn how to make a perfect BBQ brisket.