Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
the Many-Faced Threats
to the serverlessworld
hi,I’mYanCui
AWS user since 2009
apr, 2016
nov, 2016
recording: https://www.youtube.com/watch?v=s4L5wjFlFzA
slides: http://bit.ly/2tHYFAM
blog posts: http://theburningmonk.com...
Lambda is PCI DSS compliant!
https://aws.amazon.com/compliance/services-in-scope
Shared Responsibility Model
Shared Responsibility Model
protection from OS attacks
Amazon automatically apply latest patches to host VMs
still have to patch your code
vulnerable code, 3rd party dependencies, etc.
https://snyk.io/blog/owasp-top-10-breaches
https://snyk.io/blog/owasp-top-10-breaches
Known Vulnerable Components cause 24% of the top
50 data breaches in 2016
https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries
http://bit.ly/2topw5I
sanitise inputs & outputs
(standardise and encapsulate into shared lib)
http://bit.ly/2gSHtay
Broken Access Control
Insecure Direct Object Reference
Information Leakage
GraphQL Injection
http://bit.ly/2uKhGXF
http://bit.ly/2uKhGXF
app dependency is a
large attack surface
further compounded by
transient dependencies
https://david-dm.org/request/request?view=tree
https://snyk.io
security updates are often
bundled with unrelated
feature and API changes
your security is as strong
as its weakest link
OS
Application
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published ...
OS
Application
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published ...
OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to...
people are often the WEAKEST link
in the security chain
OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to...
OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to...
OS
Dependencies
physical
infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to...
http://bit.ly/2sFDwYX
…obtained publish access to 14% of npm packages…
http://bit.ly/2sFDwYX
debug, request, react, co, express, moment, gulp, mongoose, mysql, bower,
browserify, electron, jasm...
http://bit.ly/2sFDwYX
total downloads/month of the unique packages
which I got myself publish access to was 1 972 421
945,...
20% of all monthly NPM downloads…
brute force
known account leaks from other sources
leaked NPM credentials (github, etc.)
http://bit.ly/2sFDwYX
http://bit.ly/2sFDwYX
662 users had password “123456”
172 — “123”
124 — “password”
WTF!?!?
oh god, that was too easy…
compromised package is a
transient dependency
sigh…
still “works”…
NPM default - get latest
“compatible” version, ie. 1.X.X
clean install (eg. on CI server) will
download the latest, compromised
package without any code change…
NPM default - get ...
use npm shrinkwrap
or upgrade to NPM 5
imagine…
not specific to Node.js or NPM
Shared Responsibility Model
who can invoke the function?
what can the function access?
Least Privilege Principle
don’t leave insecure Lambda
functions in VPC
per function policy
requires developer discipline
(which means no one would do it)
IAM policies not versioned
with Lambda functions
better in Serverless 1.X
AWS Lambda
docs
Write your Lambda function
code in a stateless style, and
ensure there is no affinity
between your code an...
S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
secure sensitive data both
at rest and in-transit
leverage server-side encryption
http://amzn.to/1N3Twb8
http://amzn.to/1xF41eX
http://amzn.to/2tgvFR2
use API key or IAM roles to
protect internal APIs
Minimise function’s access
Least Privilege Principle
Disposability is a virtue
AWS Lambda
docs
Delete old Lambda functions that
you are no longer using.
http://amzn.to/2jzLmkb
easier said than done…
identifying component
ownership in a big IT
organization is challenging
identifying ownership of
individual functions is
much harder
source: http://www.digitalattackmap.com
more likely to scale through
DoS attacks
DoS + per exec billing =
Denial of Wallet problem
have to choose between a
DoS and a DoW problem…
AWS Shield Advanced also gives you access to the AWS
DDoS Response Team (DRT) and protection against DDoS
related spikes i...
async sync
S3
SNS
SES
CloudFormation
CloudWatch Logs
CloudWatch Events
Scheduled Events
CodeCommit
AWS Config
http://amzn.t...
http://bit.ly/2v7F2E4
DoS attack
2+ Retries+
?
DoS attack
Regex DoS attack
long Lambda timeout
2+ Retries+
?
Day 1
Day 2
no long-lived
compromised servers
containers are reused, avoid
sensitive data in /tmp
no accidentally exposed
directories
http://bit.ly/2tlGTbc
monitor activities in
unused regions using
CloudWatch Events
set up billing alarms in
unused regions
watertight compartments that can contain water in
the case of hull breach or other leaks
Michael Nygard
Least Privilege Principle
per function policies
account level isolation
Recap
App dependencies is a much BIGGER attack
surface than you probably realise
sanitise inputs and outputs
Least Privilege Principle
here’s your per function policy
NEXT!
S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
encrypt data at rest
S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
and in-transit
delete unused functions.
DoS DoW*
* Denial of Wallet
no server*
no OS attacks
no long lived compromised servers
* I know I know, there’s still a server somewhere, but it’s man...
don’t be an unwilling bit miner
don’t be an unwilling bit miner
safeguard your credentials…
prod dev
compartmentalise breaches
people are often the WEAKEST link
in the security chain
@theburningmonk
theburningmonk.com
github.com/theburningmonk
sign up here: http://bit.ly/2xCwJEe
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Security in serverless world
Upcoming SlideShare
Loading in …5
×

Security in serverless world

2,503 views

Published on

AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what's left for you to secure? Quite a bit it turns out.

Published in: Technology

Security in serverless world

  1. 1. the Many-Faced Threats to the serverlessworld
  2. 2. hi,I’mYanCui
  3. 3. AWS user since 2009
  4. 4. apr, 2016
  5. 5. nov, 2016
  6. 6. recording: https://www.youtube.com/watch?v=s4L5wjFlFzA slides: http://bit.ly/2tHYFAM blog posts: http://theburningmonk.com/yubls-road-to-serverless-architecture
  7. 7. Lambda is PCI DSS compliant! https://aws.amazon.com/compliance/services-in-scope
  8. 8. Shared Responsibility Model
  9. 9. Shared Responsibility Model
  10. 10. protection from OS attacks Amazon automatically apply latest patches to host VMs
  11. 11. still have to patch your code vulnerable code, 3rd party dependencies, etc.
  12. 12. https://snyk.io/blog/owasp-top-10-breaches
  13. 13. https://snyk.io/blog/owasp-top-10-breaches Known Vulnerable Components cause 24% of the top 50 data breaches in 2016
  14. 14. https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries
  15. 15. http://bit.ly/2topw5I
  16. 16. sanitise inputs & outputs (standardise and encapsulate into shared lib)
  17. 17. http://bit.ly/2gSHtay Broken Access Control Insecure Direct Object Reference Information Leakage GraphQL Injection
  18. 18. http://bit.ly/2uKhGXF
  19. 19. http://bit.ly/2uKhGXF
  20. 20. app dependency is a large attack surface
  21. 21. further compounded by transient dependencies
  22. 22. https://david-dm.org/request/request?view=tree
  23. 23. https://snyk.io
  24. 24. security updates are often bundled with unrelated feature and API changes
  25. 25. your security is as strong as its weakest link
  26. 26. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking runs on needs Source Code has maintains
  27. 27. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking needs runs on this is where an attacker will target in a movie Source Code has maintains
  28. 28. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application A9 Networking runs on needs Source Code has maintains A1, A3, …
  29. 29. people are often the WEAKEST link in the security chain
  30. 30. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application phishing… Networking runs on needs Source Code has maintains
  31. 31. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
  32. 32. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
  33. 33. http://bit.ly/2sFDwYX …obtained publish access to 14% of npm packages…
  34. 34. http://bit.ly/2sFDwYX debug, request, react, co, express, moment, gulp, mongoose, mysql, bower, browserify, electron, jasmine, cheerio, modernizr, redux, …
  35. 35. http://bit.ly/2sFDwYX total downloads/month of the unique packages which I got myself publish access to was 1 972 421 945, that's 20% of the total number of d/m directly.
  36. 36. 20% of all monthly NPM downloads…
  37. 37. brute force known account leaks from other sources leaked NPM credentials (github, etc.)
  38. 38. http://bit.ly/2sFDwYX
  39. 39. http://bit.ly/2sFDwYX 662 users had password “123456” 172 — “123” 124 — “password”
  40. 40. WTF!?!?
  41. 41. oh god, that was too easy…
  42. 42. compromised package is a transient dependency sigh…
  43. 43. still “works”…
  44. 44. NPM default - get latest “compatible” version, ie. 1.X.X
  45. 45. clean install (eg. on CI server) will download the latest, compromised package without any code change… NPM default - get latest “compatible” version, ie. 1.X.X
  46. 46. use npm shrinkwrap or upgrade to NPM 5
  47. 47. imagine…
  48. 48. not specific to Node.js or NPM
  49. 49. Shared Responsibility Model
  50. 50. who can invoke the function?
  51. 51. what can the function access?
  52. 52. Least Privilege Principle
  53. 53. don’t leave insecure Lambda functions in VPC
  54. 54. per function policy
  55. 55. requires developer discipline (which means no one would do it)
  56. 56. IAM policies not versioned with Lambda functions
  57. 57. better in Serverless 1.X
  58. 58. AWS Lambda docs Write your Lambda function code in a stateless style, and ensure there is no affinity between your code and the underlying compute infrastructure. http://amzn.to/2jzLmkb
  59. 59. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery
  60. 60. secure sensitive data both at rest and in-transit
  61. 61. leverage server-side encryption
  62. 62. http://amzn.to/1N3Twb8
  63. 63. http://amzn.to/1xF41eX
  64. 64. http://amzn.to/2tgvFR2
  65. 65. use API key or IAM roles to protect internal APIs
  66. 66. Minimise function’s access
  67. 67. Least Privilege Principle
  68. 68. Disposability is a virtue
  69. 69. AWS Lambda docs Delete old Lambda functions that you are no longer using. http://amzn.to/2jzLmkb
  70. 70. easier said than done…
  71. 71. identifying component ownership in a big IT organization is challenging
  72. 72. identifying ownership of individual functions is much harder
  73. 73. source: http://www.digitalattackmap.com
  74. 74. more likely to scale through DoS attacks
  75. 75. DoS + per exec billing = Denial of Wallet problem
  76. 76. have to choose between a DoS and a DoW problem…
  77. 77. AWS Shield Advanced also gives you access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your ELB, CloudFront or Route 53 charges.
  78. 78. async sync S3 SNS SES CloudFormation CloudWatch Logs CloudWatch Events Scheduled Events CodeCommit AWS Config http://amzn.to/2vs2lIg Cognito Alexa Lex API Gateway streams DynamoDB Stream Kinesis Stream Lambda handles retries (twice, then DLQ)
  79. 79. http://bit.ly/2v7F2E4
  80. 80. DoS attack 2+ Retries+ ?
  81. 81. DoS attack Regex DoS attack long Lambda timeout 2+ Retries+ ?
  82. 82. Day 1
  83. 83. Day 2
  84. 84. no long-lived compromised servers
  85. 85. containers are reused, avoid sensitive data in /tmp
  86. 86. no accidentally exposed directories
  87. 87. http://bit.ly/2tlGTbc
  88. 88. monitor activities in unused regions using CloudWatch Events
  89. 89. set up billing alarms in unused regions
  90. 90. watertight compartments that can contain water in the case of hull breach or other leaks
  91. 91. Michael Nygard
  92. 92. Least Privilege Principle
  93. 93. per function policies
  94. 94. account level isolation
  95. 95. Recap
  96. 96. App dependencies is a much BIGGER attack surface than you probably realise
  97. 97. sanitise inputs and outputs
  98. 98. Least Privilege Principle
  99. 99. here’s your per function policy NEXT!
  100. 100. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery encrypt data at rest
  101. 101. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery and in-transit
  102. 102. delete unused functions.
  103. 103. DoS DoW* * Denial of Wallet
  104. 104. no server* no OS attacks no long lived compromised servers * I know I know, there’s still a server somewhere, but it’s managed and secured by AWS engineers who can do a much better job of it than most of us can; and the servers are ephemeral and short-lived
  105. 105. don’t be an unwilling bit miner
  106. 106. don’t be an unwilling bit miner safeguard your credentials…
  107. 107. prod dev compartmentalise breaches
  108. 108. people are often the WEAKEST link in the security chain
  109. 109. @theburningmonk theburningmonk.com github.com/theburningmonk
  110. 110. sign up here: http://bit.ly/2xCwJEe

×