This document discusses security considerations for serverless applications. It notes that while serverless applications avoid some security risks related to servers, they also introduce new risks related to application dependencies and access controls. It recommends practices like least privilege access, input/output sanitization, encryption of data at rest and in transit, monitoring for unusual activity, and deleting unused functions. The document emphasizes that people are often the weakest link and proper credentials management is important. It also discusses challenges like denial of service attacks and accidental exposure of functions or data.

1. Security in the Serverless World

2. Yan Cui
http://theburningmonk.com
@theburningmonk
Principal Engineer @

7. available in Austria, Switzerland, Germany,
Japan, Canada, Italy and US

8. available on 30+ platforms

9. ~1,000,000 concurrent viewers

10. We’re hiring! Visit
engineering.dazn.com
to learn more.
follow @dazneng for
updates about the
engineering team

11. follow @dazneng for
updates about the
engineering team
We’re hiring! Visit
engineering.dazn.com
to learn more.
WE’RE HIRING!

12. AWS user since 2009

13. http://bit.ly/yubl-serverless

14. Shared Responsibility Model

15. Shared Responsibility Model

16. protection from OS attacks
Amazon automatically apply latest patches to host VMs

19. still have to patch your code
vulnerable code, 3rd party dependencies, etc.

21. https://snyk.io/blog/owasp-top-10-breaches

22. https://snyk.io/blog/owasp-top-10-breaches
Known Vulnerable Components cause 24% of the top 50 data breaches

23. https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries

28. http://bit.ly/2topw5I

29. sanitise inputs & outputs
(standardise and encapsulate into shared lib)

31. http://bit.ly/2gSHtay
Broken Access Control
Insecure Direct Object Reference
Information Leakage
GraphQL Injection

32. http://bit.ly/2uKhGXF

33. http://bit.ly/2uKhGXF

35. app dependencies
is a
attack surface
BIGGER
than you think

36. your dependencies

37. your dependencies
transient dependencies

38. https://david-dm.org/request/request?view=tree

40. https://snyk.io

41. security updates are often
bundled with unrelated
feature and API changes

42. your security is as strong
as its weakest link

43. OS
Application
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Networking
runs on
needs
Source Code
has
maintains

44. OS
Application
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Networking
needs
runs on this is where an attacker will
target in a movie
Source Code
has
maintains

47. OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
A9
Networking
runs on
needs
Source Code
has
maintains
A1, A3, …

48. people are often the WEAKEST link
in the security chain

50. OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
phishing…
Networking
runs on
needs
Source Code
has
maintains

51. OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
brute force, known
account leaks, …
Networking
runs on
needs
Source Code
has
maintains

52. OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
brute force, known
account leaks, …
Networking
runs on
needs
Source Code
has
maintains

53. http://bit.ly/2sFDwYX
…obtained publish access to 14% of npm packages…

54. http://bit.ly/2sFDwYX
debug, request, react, co, express, moment, gulp, mongoose, mysql, bower,
browserify, electron, jasmine, cheerio, modernizr, redux, …

55. http://bit.ly/2sFDwYX
total downloads/month of the unique packages which I got
myself publish access to was 1 972 421 945, that’s
20% of the total number of d/m directly.

56. 20% of all monthly NPM downloads…

57. brute force
known account leaks from other sources
leaked NPM credentials (github, etc.)

58. http://bit.ly/2sFDwYX

59. http://bit.ly/2sFDwYX
662 users had password “123456”
172 — “123”
124 — “password”

62. WTF!?!?

67. oh god, that was too easy…

70. compromised package is a
transient dependency
sigh…

71. still “works”…

74. npmjs.com/~hacktask

76. rm -rf / !!!

77. NPM default - get latest
“compatible” version, ie. 1.X.X

78. clean install (eg. on CI server) will
download the latest, compromised
package without any code change…
NPM default - get latest
“compatible” version, ie. 1.X.X

80. use npm shrinkwrap
or upgrade to NPM 5 or above

81. not specific to Node.js or NPM

82. the attackers are in…

83. the attackers are in…
what now?

84. Shared Responsibility Model

85. who can invoke the function?

86. what can the function access?

87. Least Privilege Principle

89. everything here
is trusted

91. sensitive data

92. http://bit.ly/2zHvbcB

93. always public
access is controlled via IAM

98. http://bit.ly/2lNInES

99. adds up to 10s to cold start!!
http://bit.ly/2lNInES

100. compromised servers allow
attacker to access all of
your sensitive data!

101. implement authentication
for internal APIs

103. always public
implement authentication with
API keys, Cognito, or custom
authorizer functions

104. use AWS_IAM
authentication for
internal APIs

106. minimise function’s access

110. requires developer discipline

114. AWS Lambda
docs
Write your Lambda function
code in a stateless style, and
ensure there is no affinity
between your code and the
underlying compute
infrastructure.
http://amzn.to/2jzLmkb

115. S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery

116. secure sensitive data both
at rest and in-transit

117. leverage server-side encryption

118. http://amzn.to/1N3Twb8

119. http://amzn.to/1xF41eX

120. http://amzn.to/2tgvFR2

121. Least Privilege Principle

122. Disposability is a virtue

123. AWS Lambda
docs
Delete old Lambda functions that
you are no longer using.
http://amzn.to/2jzLmkb

124. easier said than done…

125. identifying component
ownership in a big IT
organization is challenging

126. identifying ownership of
individual functions is
much harder

127. source: http://www.digitalattackmap.com

128. more likely to scale through
DoS attacks

129. DoS + per exec billing =
Denial of Wallet problem

130. have to choose between a
DoS and a DoW problem…

132. AWS Shield Advanced also gives you access to the AWS DDoS
Response Team (DRT) and protection against DDoS related
spikes in your ELB, CloudFront or Route 53 charges.

133. async sync
S3
SNS
SES
CloudFormation
CloudWatch Logs
CloudWatch Events
Scheduled Events
CodeCommit
AWS Config
http://amzn.to/2vs2lIg
Cognito
Alexa
Lex
API Gateway
streams
DynamoDB Stream
Kinesis Stream
Lambda handles retries
(twice, then DLQ)

134. http://bit.ly/2v7F2E4

135. DoS attack
2+ Retries+
?

136. DoS attack
Regex DoS attack
long Lambda timeout
2+ Retries+
?

138. Day 1

139. Day 2

141. no long-lived compromised servers

142. containers are reused, avoid
sensitive data in /tmp

143. https://www.puresec.io/function-shield

147. no accidentally exposed directories

151. http://bit.ly/2tlGTbc

152. monitor activities in
unused regions using
CloudWatch Events

154. set up billing alarms in unused regions

155. watertight compartments that can contain water in
the case of hull breach or other leaks

156. Michael Nygard

157. least privilege principle

158. per function policies

159. account level isolation

160. Recap

161. app dependencies
is a
attack surface
BIGGER
than you think

163. sanitise inputs and outputs

164. Least Privilege Principle

165. here’s your per function policy
NEXT!

166. S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
encrypt data at rest

167. S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
and in-transit

168. delete unused functions.

169. DoS DoW*
* Denial of Wallet

173. no server*
no OS attacks
no long lived compromised servers
* I know I know, there’s still a server somewhere, but it’s managed and secured by AWS engineers who can do a much better job of it
than most of us can; and the servers are ephemeral and short-lived

174. don’t be an unwilling bit miner

175. don’t be an unwilling bit miner
safeguard your credentials…

176. prod dev
compartmentalise breaches

177. people are often the WEAKEST link
in the security chain

178. @theburningmonk
theburningmonk.com
github.com/theburningmonk

179. API Gateway and Kinesis
Authentication & authorisation (IAM, Cognito)
Testing
Running & Debugging functions locally
Log aggregation
Monitoring & Alerting
X-Ray
Correlation IDs
CI/CD
Performance and Cost optimisation
Error Handling
Configuration management
VPC
Security
Leading practices (API Gateway, Kinesis, Lambda)
Canary deployments
http://bit.ly/prod-ready-serverless
get 40% off
with: ytcui