The document discusses the security challenges and risks associated with serverless architecture, particularly focusing on AWS Lambda. It highlights the importance of understanding the shared responsibility model, securing code and dependencies, and implementing the least privilege principle for function access. The author emphasizes the need for vigilance against vulnerabilities introduced by third-party packages and the human element in security breaches.

1. the Many-Faced Threats
to the serverlessworld

2. hi,I’mYanCui

7. AWS user since 2009

10. apr, 2016

11. nov, 2016

12. recording: https://www.youtube.com/watch?v=s4L5wjFlFzA
slides: http://bit.ly/2tHYFAM
blog posts: http://theburningmonk.com/yubls-road-to-serverless-architecture

13. Lambda is PCI DSS compliant!
https://aws.amazon.com/compliance/services-in-scope

14. Shared Responsibility Model

15. Shared Responsibility Model

16. protection from OS attacks
Amazon automatically apply latest patches to host VMs

18. still have to patch your code
vulnerable code, 3rd party dependencies, etc.

21. https://snyk.io/blog/owasp-top-10-breaches

22. https://snyk.io/blog/owasp-top-10-breaches
Known Vulnerable Components cause 24% of the top
50 data breaches in 2016

23. https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries

28. http://bit.ly/2topw5I

29. sanitise inputs & outputs
(standardise and encapsulate into shared lib)

31. http://bit.ly/2gSHtay
Broken Access Control
Insecure Direct Object Reference
Information Leakage
GraphQL Injection

32. http://bit.ly/2uKhGXF

33. http://bit.ly/2uKhGXF

34. app dependency is a
large attack surface

35. further compounded by
transient dependencies

36. https://david-dm.org/request/request?view=tree

37. https://snyk.io

38. security updates are often
bundled with unrelated
feature and API changes

39. your security is as strong
as its weakest link

40. OS
Application
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Networking
runs on
needs
Source Code
has
maintains

41. OS
Application
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Networking
needs
runs on this is where an attacker will
target in a movie
Source Code
has
maintains

44. OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
A9
Networking
runs on
needs
Source Code
has
maintains
A1, A3, …

45. people are often the WEAKEST link
in the security chain

47. OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
phishing…
Networking
runs on
needs
Source Code
has
maintains

48. OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
brute force, known
account leaks, …
Networking
runs on
needs
Source Code
has
maintains

49. OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
brute force, known
account leaks, …
Networking
runs on
needs
Source Code
has
maintains

50. http://bit.ly/2sFDwYX
…obtained publish access to 14% of npm packages…

51. http://bit.ly/2sFDwYX
debug, request, react, co, express, moment, gulp, mongoose, mysql, bower,
browserify, electron, jasmine, cheerio, modernizr, redux, …

52. http://bit.ly/2sFDwYX
total downloads/month of the unique packages
which I got myself publish access to was 1 972 421
945, that's 20% of the total number of d/m directly.

53. 20% of all monthly NPM downloads…

54. brute force
known account leaks from other sources
leaked NPM credentials (github, etc.)

55. http://bit.ly/2sFDwYX

56. http://bit.ly/2sFDwYX
662 users had password “123456”
172 — “123”
124 — “password”

59. WTF!?!?

62. oh god, that was too easy…

65. compromised package is a
transient dependency
sigh…

66. still “works”…

68. NPM default - get latest
“compatible” version, ie. 1.X.X

69. clean install (eg. on CI server) will
download the latest, compromised
package without any code change…
NPM default - get latest
“compatible” version, ie. 1.X.X

71. use npm shrinkwrap
or upgrade to NPM 5

72. imagine…

73. not specific to Node.js or NPM

75. Shared Responsibility Model

76. who can invoke the function?

77. what can the function access?

78. Least Privilege Principle

79. don’t leave insecure Lambda
functions in VPC

80. per function policy

83. requires developer discipline
(which means no one would do it)

84. IAM policies not versioned
with Lambda functions

85. better in Serverless 1.X

86. AWS Lambda
docs
Write your Lambda function
code in a stateless style, and
ensure there is no affinity
between your code and the
underlying compute
infrastructure.
http://amzn.to/2jzLmkb

87. S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery

88. secure sensitive data both
at rest and in-transit

89. leverage server-side encryption

90. http://amzn.to/1N3Twb8

91. http://amzn.to/1xF41eX

92. http://amzn.to/2tgvFR2

93. use API key or IAM roles to
protect internal APIs

96. Minimise function’s access

97. Least Privilege Principle

98. Disposability is a virtue

99. AWS Lambda
docs
Delete old Lambda functions that
you are no longer using.
http://amzn.to/2jzLmkb

100. easier said than done…

101. identifying component
ownership in a big IT
organization is challenging

102. identifying ownership of
individual functions is
much harder

103. source: http://www.digitalattackmap.com

104. more likely to scale through
DoS attacks

105. DoS + per exec billing =
Denial of Wallet problem

106. have to choose between a
DoS and a DoW problem…

108. AWS Shield Advanced also gives you access to the AWS
DDoS Response Team (DRT) and protection against DDoS
related spikes in your ELB, CloudFront or Route 53 charges.

109. async sync
S3
SNS
SES
CloudFormation
CloudWatch Logs
CloudWatch Events
Scheduled Events
CodeCommit
AWS Config
http://amzn.to/2vs2lIg
Cognito
Alexa
Lex
API Gateway
streams
DynamoDB Stream
Kinesis Stream
Lambda handles retries
(twice, then DLQ)

110. http://bit.ly/2v7F2E4

111. DoS attack
2+ Retries+
?

112. DoS attack
Regex DoS attack
long Lambda timeout
2+ Retries+
?

114. Day 1

115. Day 2

117. no long-lived
compromised servers

118. containers are reused, avoid
sensitive data in /tmp

121. no accidentally exposed
directories

125. http://bit.ly/2tlGTbc

126. monitor activities in
unused regions using
CloudWatch Events

128. set up billing alarms in
unused regions

129. watertight compartments that can contain water in
the case of hull breach or other leaks

130. Michael Nygard

132. Least Privilege Principle

133. per function policies

134. account level isolation

135. Recap

136. App dependencies is a much BIGGER attack
surface than you probably realise

138. sanitise inputs and outputs

139. Least Privilege Principle

140. here’s your per function policy
NEXT!

141. S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
encrypt data at rest

142. S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
and in-transit

143. delete unused functions.

144. DoS DoW*
* Denial of Wallet

148. no server*
no OS attacks
no long lived compromised servers
* I know I know, there’s still a server somewhere, but it’s managed and secured by AWS engineers who can do a much better
job of it than most of us can; and the servers are ephemeral and short-lived

149. don’t be an unwilling bit miner

150. don’t be an unwilling bit miner
safeguard your credentials…

151. prod dev
compartmentalise breaches

152. people are often the WEAKEST link
in the security chain

153. @theburningmonk
theburningmonk.com
github.com/theburningmonk

154. sign up here: http://bit.ly/2xCwJEe