Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Serverless - By Breaking In

122 views

Published on

Guy Podjarny breaks into a vulnerable serverless application and exploits multiple weaknesses, helping better understand some of the mistakes people make, their implications, and how to avoid them.

Video available on: https://www.infoq.com/presentations/serverless-security-2017

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Securing Serverless - By Breaking In

  1. 1. snyk.io Securing Serverless - 
 By Breaking In Guy Podjarny, Snyk @guypod
  2. 2. snyk.io About Me • Guy Podjarny, @guypod on Twitter • CEO & Co-founder at Snyk • History: • Cyber Security part of Israel Defense Forces • First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan) • Security: Worked in Sanctum -> Watchfire -> IBM • Performance: Founded Blaze -> CTO @Akamai • O’Reilly author, speaker
  3. 3. snyk.io Serverless Security: The Theory
 (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security
  4. 4. snyk.io Today - straight to practice!
  5. 5. snyk.io Agenda • Show a demo serverless app • Hack it • Explain the security flaws and how to fix them • Summary • Q&A
  6. 6. snyk.io Introducing our app…
  7. 7. snyk.io Vulnerable Libraries
  8. 8. snyk.io Example: Fetch file & store in s3 (Serverless Framework Example) 19 Lines of Code 2 Direct dependencies 19 dependencies(incl. indirect) 191,155 Lines of Code
  9. 9. snyk.io
  10. 10. snyk.io Serverless does secure
 OS dependencies Just not app dependencies
  11. 11. snyk.io 1. Beware Vulnerable Libraries
 (test during dev, monitor over time)
  12. 12. snyk.io Side Note:
 Snyk isn’t only for Serverless
  13. 13. snyk.io Denial of Service
  14. 14. snyk.io 2. ReDoS can still be costly
 (won’t take you down, but can hike up bill)
  15. 15. snyk.io Beware
 Resource Exhaustion Attacks Not all your services elastically scale
  16. 16. snyk.io Secrets
  17. 17. snyk.io 3. Avoid secrets in deployed code
 (env variables aren’t enough - Use a KMS!)
  18. 18. snyk.io Serverless platforms offer a
 Key Management System Just use it!
  19. 19. snyk.io Granularity
  20. 20. snyk.io 4. Deploy granular functions
 (shared function code = greater exposure)
  21. 21. snyk.io AWS Security Policy Easier Policy 3Policy 2 Policy 1 Safer
  22. 22. snyk.io Permissions
  23. 23. snyk.io 5. Use Granular Policies
 (only allow each function its minimum permissions)
  24. 24. snyk.io A function is a perimeter That needs to be secured Perimeter Perimeter Perimeter Perimeter Perimeter
  25. 25. snyk.io Immutability
  26. 26. snyk.io 6. Don’t rely on immutability
 (Lambda - and others - reuse servers)
  27. 27. snyk.io Serverless user is typically
 Low Privilege Reducing impact substantially, but not eliminating it
  28. 28. snyk.io 7. Worry about all functions
 (Every available function increases your attack surface)
  29. 29. snyk.io Summary 1. Beware vulnerable libraries 2. ReDoS can still be costly 3. Avoid secrets in deployed code 4. Deploy granular functions 5. Use Granular Permissions 6. Don’t rely on immutability 7. Worry about all functions
  30. 30. snyk.io Serverless Security: The Theory
 (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security
  31. 31. snyk.io Serverless is defined now.
 Let’s build Security in. Thank You! Guy Podjarny, Snyk @guypod

×