SlideShare a Scribd company logo
1 of 16
Download to read offline
SERVERLESS COMPUTING
Hackitect's playground
DevSecOps stories by Marek Šottl
THE GAME
Serverless attacks and controls
About me
Marek Šottl
DevSecOps + Cloud influencer and engineer
Author of Ultimate DevSecOps library
Certified: I create content for you:
Welcome to AWSome security space
Any questions?
OWASP TOP 10 Serverless - Hackitected
2
1
3
4
5
Function Event-Data Injection
Typical attacks like XSS, RCE, OSS command injection are still valid for lamda. Injection can lead to leakage of env var containing
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN.
Broken authentication
Exposing Unauthenticated Entry Point via S3 Bucket with Public Access. Unrestricted access to AWS EKS.
Sensitive data exposure – Insecure secret storages
There are various mechanisms how to get and dump secrets containing API private keys, passwords, environment variables etc. Data
dumping from S3 and DynamoDB are very common attacks.
Insecure Serverless Deployment
Misconfigured and bad-architected serverless apps can lead to creation of malicious infrastructure, secrets leakage or code leakage.
Also unsigned Lambdas can be critical part in supply chain attacks and Lambda manipulation.
Broken access control / Flow control
Lack of semantic reasoning on IAM can lead to privilege escalation. Especially with offensive Infrastructure as code. Manipulating
application’s flow can help an attacker to change the application logic in bypassing access controls, elevating user privileges or even
cause Denial of Service attacks.
OWASP TOP 10 Serverless - Hackitected
7
6
8
9
10
Denial of Wallet (DoW)
DoW attacks specifically target serverless users to increase the billed spend in cloud provider and cause financial harm.
Insecure Deserialization
Common python of NodeJS frameworks allow deserialisation attacks. Insecure deserialization usually results in running arbitrary code
that could eventually lead to data leakage and, in severe cases, even resource and account control.
Using Components with Known Vulnerabilities – Supply chain OSS security
Testing OSS vulnerabilities and dependecy security testing is underestimated and when no actions are taken it can have critical impact
on your serverless application. Managing SBOM is key topics of todays OSS world.
Insufficient Logging and Monitoring
Applications which do not implement a proper auditing mechanism and rely solely on their service provider probably have insufficient
means of security monitoring and auditing.
Security misconfiguration
Misconfiguration could lead to sensitive information leakage, money loss, DoS or in severe cases, unauthorized access to cloud
resources. Problem is missing implementation of continuous security testing of serverless infrastructure.
LET‘S PLAY SHORT GAME!
Denial of Wallet attacks
In addition, while traditional web-based
distributed DDoS attacks flood the server with traffic
until it crashes, DoW attacks specifically target
serverless apps.
Denial-of-Wallet (DoW) exploits are similar to denial-
of-service (DoS) because both are carried with the
intent to cause disruption.
DoWseeks to cause the victim financial loss
due to lack of billing alarms and FinOps practices.
Node.js Event Loop for Timing Attack
Vulnerable example:
Remediation:
This is very common attack in authentication lambda where you check the valid tokens. There are many attack vectors
causing loops in the code. Lambda can be triggered from S3, DynamoDB or SES which helps attackers to inject the event
triggers.
Preventing DoW attacks
1. Prepare Cloud Watch Billing alarms.
2. Limit lambda time-out to necessary minimum.
3. Prepare short living IAM roles with limit on which
resources (EC2 etc.) can be spined up.
4. Disable the running instances when they are not
needed via Billing limitation lambdas.
5. Prepare you FinOps practices and automation in
tooling around it.
6. GitOps helps to reduce roles needed to manipulate
resources. Take Git as source of thuth.
Lambda antipatters and protection
Backdooring and exploiting AWS ECR
Super secure repo
Compromised credentials List ECR repositories
Pull selected image from ECR
Create backdoored image
Push “improved” image back
Super secure repo
Lambda code / S3 / DynamoDB dumping
Pacu can pull also data related to
Lambda Functions, source code,
aliases, event source mappings,
versions, tags, and policies.
Amazon DynamoDB Accelerator (DAX)
encryption at rest provides an
additional layer of data protection.
CRUD for all the operations.
Use TTL (per-item timestamp) and IAM
conditions.
Lambda code / S3 / DynamoDB dumping
S3 Data events
AWS CloudFormation Guard
Offensive infrastructure as code
• https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
• https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/data-protection.html
• https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/
• https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability
• https://aws.amazon.com/security/security-bulletins/AWS-2022-002/
• https://github.com/RhinoSecurityLabs/pacu/wiki
• https://owasp.org/www-project-serverless-top-10/
REFERENCES

More Related Content

Recently uploaded

Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfSelfMade bd
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Henry Schreiner
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIAGATSoftware
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Maxim Salnikov
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...OnePlan Solutions
 
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphGraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphNeo4j
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxNeo4j
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Flutter Agency
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationElement34
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...drm1699
 

Recently uploaded (20)

Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphGraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 

Featured

How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming LanguageSimplilearn
 

Featured (20)

How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
 

Jak (ne)hacknout Serverless aplikace

  • 1. SERVERLESS COMPUTING Hackitect's playground DevSecOps stories by Marek Šottl THE GAME Serverless attacks and controls
  • 2. About me Marek Šottl DevSecOps + Cloud influencer and engineer Author of Ultimate DevSecOps library Certified: I create content for you:
  • 3. Welcome to AWSome security space
  • 5. OWASP TOP 10 Serverless - Hackitected 2 1 3 4 5 Function Event-Data Injection Typical attacks like XSS, RCE, OSS command injection are still valid for lamda. Injection can lead to leakage of env var containing AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN. Broken authentication Exposing Unauthenticated Entry Point via S3 Bucket with Public Access. Unrestricted access to AWS EKS. Sensitive data exposure – Insecure secret storages There are various mechanisms how to get and dump secrets containing API private keys, passwords, environment variables etc. Data dumping from S3 and DynamoDB are very common attacks. Insecure Serverless Deployment Misconfigured and bad-architected serverless apps can lead to creation of malicious infrastructure, secrets leakage or code leakage. Also unsigned Lambdas can be critical part in supply chain attacks and Lambda manipulation. Broken access control / Flow control Lack of semantic reasoning on IAM can lead to privilege escalation. Especially with offensive Infrastructure as code. Manipulating application’s flow can help an attacker to change the application logic in bypassing access controls, elevating user privileges or even cause Denial of Service attacks.
  • 6. OWASP TOP 10 Serverless - Hackitected 7 6 8 9 10 Denial of Wallet (DoW) DoW attacks specifically target serverless users to increase the billed spend in cloud provider and cause financial harm. Insecure Deserialization Common python of NodeJS frameworks allow deserialisation attacks. Insecure deserialization usually results in running arbitrary code that could eventually lead to data leakage and, in severe cases, even resource and account control. Using Components with Known Vulnerabilities – Supply chain OSS security Testing OSS vulnerabilities and dependecy security testing is underestimated and when no actions are taken it can have critical impact on your serverless application. Managing SBOM is key topics of todays OSS world. Insufficient Logging and Monitoring Applications which do not implement a proper auditing mechanism and rely solely on their service provider probably have insufficient means of security monitoring and auditing. Security misconfiguration Misconfiguration could lead to sensitive information leakage, money loss, DoS or in severe cases, unauthorized access to cloud resources. Problem is missing implementation of continuous security testing of serverless infrastructure.
  • 8. Denial of Wallet attacks In addition, while traditional web-based distributed DDoS attacks flood the server with traffic until it crashes, DoW attacks specifically target serverless apps. Denial-of-Wallet (DoW) exploits are similar to denial- of-service (DoS) because both are carried with the intent to cause disruption. DoWseeks to cause the victim financial loss due to lack of billing alarms and FinOps practices.
  • 9. Node.js Event Loop for Timing Attack Vulnerable example: Remediation: This is very common attack in authentication lambda where you check the valid tokens. There are many attack vectors causing loops in the code. Lambda can be triggered from S3, DynamoDB or SES which helps attackers to inject the event triggers.
  • 10. Preventing DoW attacks 1. Prepare Cloud Watch Billing alarms. 2. Limit lambda time-out to necessary minimum. 3. Prepare short living IAM roles with limit on which resources (EC2 etc.) can be spined up. 4. Disable the running instances when they are not needed via Billing limitation lambdas. 5. Prepare you FinOps practices and automation in tooling around it. 6. GitOps helps to reduce roles needed to manipulate resources. Take Git as source of thuth.
  • 12. Backdooring and exploiting AWS ECR Super secure repo Compromised credentials List ECR repositories Pull selected image from ECR Create backdoored image Push “improved” image back Super secure repo
  • 13. Lambda code / S3 / DynamoDB dumping Pacu can pull also data related to Lambda Functions, source code, aliases, event source mappings, versions, tags, and policies. Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection. CRUD for all the operations. Use TTL (per-item timestamp) and IAM conditions.
  • 14. Lambda code / S3 / DynamoDB dumping S3 Data events AWS CloudFormation Guard
  • 16. • https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ • https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/data-protection.html • https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/ • https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability • https://aws.amazon.com/security/security-bulletins/AWS-2022-002/ • https://github.com/RhinoSecurityLabs/pacu/wiki • https://owasp.org/www-project-serverless-top-10/ REFERENCES