Successfully reported this slideshow.
Your SlideShare is downloading. ×

Security in serverless world

Security in serverless world

Download to read offline

AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what's left for you to secure? Quite a bit it turns out.

AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what's left for you to secure? Quite a bit it turns out.

Advertisement
Advertisement

More Related Content

Advertisement
Advertisement

Security in serverless world

  1. 1. the Many-Faced Threats to the serverlessworld
  2. 2. hi,I’mYanCui
  3. 3. AWS user since 2009
  4. 4. apr, 2016
  5. 5. nov, 2016
  6. 6. recording: https://www.youtube.com/watch?v=s4L5wjFlFzA slides: http://bit.ly/2tHYFAM blog posts: http://theburningmonk.com/yubls-road-to-serverless-architecture
  7. 7. Lambda is PCI DSS compliant! https://aws.amazon.com/compliance/services-in-scope
  8. 8. Shared Responsibility Model
  9. 9. Shared Responsibility Model
  10. 10. protection from OS attacks Amazon automatically apply latest patches to host VMs
  11. 11. still have to patch your code vulnerable code, 3rd party dependencies, etc.
  12. 12. https://snyk.io/blog/owasp-top-10-breaches
  13. 13. https://snyk.io/blog/owasp-top-10-breaches Known Vulnerable Components cause 24% of the top 50 data breaches in 2016
  14. 14. https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries
  15. 15. http://bit.ly/2topw5I
  16. 16. sanitise inputs & outputs (standardise and encapsulate into shared lib)
  17. 17. http://bit.ly/2gSHtay Broken Access Control Insecure Direct Object Reference Information Leakage GraphQL Injection
  18. 18. http://bit.ly/2uKhGXF
  19. 19. http://bit.ly/2uKhGXF
  20. 20. app dependency is a large attack surface
  21. 21. further compounded by transient dependencies
  22. 22. https://david-dm.org/request/request?view=tree
  23. 23. https://snyk.io
  24. 24. security updates are often bundled with unrelated feature and API changes
  25. 25. your security is as strong as its weakest link
  26. 26. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking runs on needs Source Code has maintains
  27. 27. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking needs runs on this is where an attacker will target in a movie Source Code has maintains
  28. 28. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application A9 Networking runs on needs Source Code has maintains A1, A3, …
  29. 29. people are often the WEAKEST link in the security chain
  30. 30. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application phishing… Networking runs on needs Source Code has maintains
  31. 31. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
  32. 32. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
  33. 33. http://bit.ly/2sFDwYX …obtained publish access to 14% of npm packages…
  34. 34. http://bit.ly/2sFDwYX debug, request, react, co, express, moment, gulp, mongoose, mysql, bower, browserify, electron, jasmine, cheerio, modernizr, redux, …
  35. 35. http://bit.ly/2sFDwYX total downloads/month of the unique packages which I got myself publish access to was 1 972 421 945, that's 20% of the total number of d/m directly.
  36. 36. 20% of all monthly NPM downloads…
  37. 37. brute force known account leaks from other sources leaked NPM credentials (github, etc.)
  38. 38. http://bit.ly/2sFDwYX
  39. 39. http://bit.ly/2sFDwYX 662 users had password “123456” 172 — “123” 124 — “password”
  40. 40. WTF!?!?
  41. 41. oh god, that was too easy…
  42. 42. compromised package is a transient dependency sigh…
  43. 43. still “works”…
  44. 44. NPM default - get latest “compatible” version, ie. 1.X.X
  45. 45. clean install (eg. on CI server) will download the latest, compromised package without any code change… NPM default - get latest “compatible” version, ie. 1.X.X
  46. 46. use npm shrinkwrap or upgrade to NPM 5
  47. 47. imagine…
  48. 48. not specific to Node.js or NPM
  49. 49. Shared Responsibility Model
  50. 50. who can invoke the function?
  51. 51. what can the function access?
  52. 52. Least Privilege Principle
  53. 53. don’t leave insecure Lambda functions in VPC
  54. 54. per function policy
  55. 55. requires developer discipline (which means no one would do it)
  56. 56. IAM policies not versioned with Lambda functions
  57. 57. better in Serverless 1.X
  58. 58. AWS Lambda docs Write your Lambda function code in a stateless style, and ensure there is no affinity between your code and the underlying compute infrastructure. http://amzn.to/2jzLmkb
  59. 59. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery
  60. 60. secure sensitive data both at rest and in-transit
  61. 61. leverage server-side encryption
  62. 62. http://amzn.to/1N3Twb8
  63. 63. http://amzn.to/1xF41eX
  64. 64. http://amzn.to/2tgvFR2
  65. 65. use API key or IAM roles to protect internal APIs
  66. 66. Minimise function’s access
  67. 67. Least Privilege Principle
  68. 68. Disposability is a virtue
  69. 69. AWS Lambda docs Delete old Lambda functions that you are no longer using. http://amzn.to/2jzLmkb
  70. 70. easier said than done…
  71. 71. identifying component ownership in a big IT organization is challenging
  72. 72. identifying ownership of individual functions is much harder
  73. 73. source: http://www.digitalattackmap.com
  74. 74. more likely to scale through DoS attacks
  75. 75. DoS + per exec billing = Denial of Wallet problem
  76. 76. have to choose between a DoS and a DoW problem…
  77. 77. AWS Shield Advanced also gives you access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your ELB, CloudFront or Route 53 charges.
  78. 78. async sync S3 SNS SES CloudFormation CloudWatch Logs CloudWatch Events Scheduled Events CodeCommit AWS Config http://amzn.to/2vs2lIg Cognito Alexa Lex API Gateway streams DynamoDB Stream Kinesis Stream Lambda handles retries (twice, then DLQ)
  79. 79. http://bit.ly/2v7F2E4
  80. 80. DoS attack 2+ Retries+ ?
  81. 81. DoS attack Regex DoS attack long Lambda timeout 2+ Retries+ ?
  82. 82. Day 1
  83. 83. Day 2
  84. 84. no long-lived compromised servers
  85. 85. containers are reused, avoid sensitive data in /tmp
  86. 86. no accidentally exposed directories
  87. 87. http://bit.ly/2tlGTbc
  88. 88. monitor activities in unused regions using CloudWatch Events
  89. 89. set up billing alarms in unused regions
  90. 90. watertight compartments that can contain water in the case of hull breach or other leaks
  91. 91. Michael Nygard
  92. 92. Least Privilege Principle
  93. 93. per function policies
  94. 94. account level isolation
  95. 95. Recap
  96. 96. App dependencies is a much BIGGER attack surface than you probably realise
  97. 97. sanitise inputs and outputs
  98. 98. Least Privilege Principle
  99. 99. here’s your per function policy NEXT!
  100. 100. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery encrypt data at rest
  101. 101. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery and in-transit
  102. 102. delete unused functions.
  103. 103. DoS DoW* * Denial of Wallet
  104. 104. no server* no OS attacks no long lived compromised servers * I know I know, there’s still a server somewhere, but it’s managed and secured by AWS engineers who can do a much better job of it than most of us can; and the servers are ephemeral and short-lived
  105. 105. don’t be an unwilling bit miner
  106. 106. don’t be an unwilling bit miner safeguard your credentials…
  107. 107. prod dev compartmentalise breaches
  108. 108. people are often the WEAKEST link in the security chain
  109. 109. @theburningmonk theburningmonk.com github.com/theburningmonk
  110. 110. sign up here: http://bit.ly/2xCwJEe

×