Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security in Serverless world

416 views

Published on

AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what's left for you to secure? Quite a bit it turns out.

Published in: Technology
  • Be the first to comment

Security in Serverless world

  1. 1. the Many-Faced Threats to the serverless world
  2. 2. Yan Cui http://theburningmonk.com @theburningmonk Principal Engineer @
  3. 3. “Netflix for sports” offices in London, Leeds, Katowice and Tokyo
  4. 4. We’re hiring ;-) http://engineering.dazn.com
  5. 5. AWS user since 2009
  6. 6. recording: https://www.youtube.com/watch?v=s4L5wjFlFzA slides: http://bit.ly/2tHYFAM blog posts: http://theburningmonk.com/yubls-road-to-serverless-architecture
  7. 7. Shared Responsibility Model
  8. 8. Shared Responsibility Model
  9. 9. protection from OS attacks Amazon automatically apply latest patches to host VMs
  10. 10. still have to patch your code vulnerable code, 3rd party dependencies, etc.
  11. 11. https://snyk.io/blog/owasp-top-10-breaches
  12. 12. https://snyk.io/blog/owasp-top-10-breaches Known Vulnerable Components cause 24% of the top 50 data breaches in 2016
  13. 13. https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries
  14. 14. http://bit.ly/2topw5I
  15. 15. sanitise inputs & outputs (standardise and encapsulate into shared lib)
  16. 16. http://bit.ly/2gSHtay Broken Access Control Insecure Direct Object Reference Information Leakage GraphQL Injection
  17. 17. http://bit.ly/2uKhGXF
  18. 18. http://bit.ly/2uKhGXF
  19. 19. app dependency is a large attack surface
  20. 20. further compounded by transient dependencies
  21. 21. https://david-dm.org/request/request?view=tree
  22. 22. https://snyk.io
  23. 23. security updates are often bundled with unrelated feature and API changes
  24. 24. your security is as strong as its weakest link
  25. 25. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking runs on needs Source Code has maintains
  26. 26. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking needs runs on this is where an attacker will target in a movie Source Code has maintains
  27. 27. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application A9 Networking runs on needs Source Code has maintains A1, A3, …
  28. 28. people are often the WEAKEST link in the security chain
  29. 29. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application phishing… Networking runs on needs Source Code has maintains
  30. 30. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
  31. 31. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
  32. 32. http://bit.ly/2sFDwYX …obtained publish access to 14% of npm packages…
  33. 33. http://bit.ly/2sFDwYX debug, request, react, co, express, moment, gulp, mongoose, mysql, bower, browserify, electron, jasmine, cheerio, modernizr, redux, …
  34. 34. http://bit.ly/2sFDwYX total downloads/month of the unique packages which I got myself publish access to was 1 972 421 945, that's 20% of the total number of d/m directly.
  35. 35. 20% of all monthly NPM downloads…
  36. 36. brute force known account leaks from other sources leaked NPM credentials (github, etc.)
  37. 37. http://bit.ly/2sFDwYX
  38. 38. http://bit.ly/2sFDwYX 662 users had password “123456” 172 — “123” 124 — “password”
  39. 39. WTF!?!?
  40. 40. oh god, that was too easy…
  41. 41. compromised package is a transient dependency sigh…
  42. 42. still “works”…
  43. 43. npmjs.com/~hacktask
  44. 44. rm -rf / !!!
  45. 45. NPM default - get latest “compatible” version, ie. 1.X.X
  46. 46. clean install (eg. on CI server) will download the latest, compromised package without any code change… NPM default - get latest “compatible” version, ie. 1.X.X
  47. 47. use npm shrinkwrap or upgrade to NPM 5
  48. 48. imagine…
  49. 49. not specific to Node.js or NPM
  50. 50. Shared Responsibility Model
  51. 51. who can invoke the function?
  52. 52. what can the function access?
  53. 53. Least Privilege Principle
  54. 54. everything here is trusted
  55. 55. always public implement authentication with API keys, Cognito, or custom authorizer functions
  56. 56. compromised servers allow attacker to access all of your sensitive data!
  57. 57. implement authentication for internal APIs
  58. 58. use AWS_IAM authentication for internal APIs
  59. 59. minimise function’s access
  60. 60. requires developer discipline
  61. 61. IAM policies not versioned with Lambda functions
  62. 62. better in Serverless 1.X
  63. 63. AWS Lambda docs Write your Lambda function code in a stateless style, and ensure there is no affinity between your code and the underlying compute infrastructure. http://amzn.to/2jzLmkb
  64. 64. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery
  65. 65. secure sensitive data both at rest and in-transit
  66. 66. leverage server-side encryption
  67. 67. http://amzn.to/1N3Twb8
  68. 68. http://amzn.to/1xF41eX
  69. 69. http://amzn.to/2tgvFR2
  70. 70. Least Privilege Principle
  71. 71. Disposability is a virtue
  72. 72. AWS Lambda docs Delete old Lambda functions that you are no longer using. http://amzn.to/2jzLmkb
  73. 73. easier said than done…
  74. 74. identifying component ownership in a big IT organization is challenging
  75. 75. identifying ownership of individual functions is much harder
  76. 76. source: http://www.digitalattackmap.com
  77. 77. more likely to scale through DoS attacks
  78. 78. DoS + per exec billing = Denial of Wallet problem
  79. 79. have to choose between a DoS and a DoW problem…
  80. 80. AWS Shield Advanced also gives you access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your ELB, CloudFront or Route 53 charges.
  81. 81. async sync S3 SNS SES CloudFormation CloudWatch Logs CloudWatch Events Scheduled Events CodeCommit AWS Config http://amzn.to/2vs2lIg Cognito Alexa Lex API Gateway streams DynamoDB Stream Kinesis Stream Lambda handles retries (twice, then DLQ)
  82. 82. http://bit.ly/2v7F2E4
  83. 83. DoS attack 2+ Retries+ ?
  84. 84. DoS attack Regex DoS attack long Lambda timeout 2+ Retries+ ?
  85. 85. Day 1
  86. 86. Day 2
  87. 87. no long-lived compromised servers
  88. 88. containers are reused, avoid sensitive data in /tmp
  89. 89. no accidentally exposed directories
  90. 90. http://bit.ly/2tlGTbc
  91. 91. monitor activities in unused regions using CloudWatch Events
  92. 92. set up billing alarms in unused regions
  93. 93. watertight compartments that can contain water in the case of hull breach or other leaks
  94. 94. Michael Nygard
  95. 95. least privilege principle
  96. 96. per function policies
  97. 97. account level isolation
  98. 98. Recap
  99. 99. App dependencies is a much BIGGER attack surface than you probably realise
  100. 100. sanitise inputs and outputs
  101. 101. Least Privilege Principle
  102. 102. here’s your per function policy NEXT!
  103. 103. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery encrypt data at rest
  104. 104. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery and in-transit
  105. 105. delete unused functions.
  106. 106. DoS DoW* * Denial of Wallet
  107. 107. no server* no OS attacks no long lived compromised servers * I know I know, there’s still a server somewhere, but it’s managed and secured by AWS engineers who can do a much better job of it than most of us can; and the servers are ephemeral and short-lived
  108. 108. don’t be an unwilling bit miner
  109. 109. don’t be an unwilling bit miner safeguard your credentials…
  110. 110. prod dev compartmentalise breaches
  111. 111. people are often the WEAKEST link in the security chain
  112. 112. @theburningmonk theburningmonk.com github.com/theburningmonk

×