Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Serverless security: defence against the dark arts

503 views

Published on

AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what’s left for you to secure? Quite a bit it turns out.

The OWASP top 10 is as relevant to you as ever; DOS attacks are still a threat even if you can probably brute force your way through it as AWS auto-scales Lambda functions automatically; and did you know attackers can easily steal your AWS credentials via your application dependencies?

In addition to the traditional threats, serverless applications have more granular deployment units and therefore there are more things to configure and secure, and the tools and practices are still catching up with this fast-changing world.

Published in: Technology
  • Be the first to comment

Serverless security: defence against the dark arts

  1. 1. Serverless Security defense against the dark arts
  2. 2. Yan Cui http://theburningmonk.com @theburningmonk Principal Engineer @ Independent Consultant
  3. 3. We’re hiring! Visit engineering.dazn.com to learn more. follow @dazneng for updates about the engineering team
  4. 4. follow @dazneng for updates about the engineering team We’re hiring! Visit engineering.dazn.com to learn more. WE’RE HIRING!
  5. 5. AWS user since 2009
  6. 6. http://bit.ly/yubl-serverless
  7. 7. Shared Responsibility Model
  8. 8. Shared Responsibility Model
  9. 9. protection from OS attacks Amazon automatically apply latest patches to host VMs
  10. 10. still have to patch your code vulnerable code, 3rd party dependencies, etc.
  11. 11. https://snyk.io/blog/owasp-top-10-breaches
  12. 12. https://snyk.io/blog/owasp-top-10-breaches Known Vulnerable Components cause 24% of the top 50 data breaches
  13. 13. https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries
  14. 14. http://bit.ly/2topw5I
  15. 15. use prepared statements
  16. 16. sanitise inputs & outputs (standardise and encapsulate into shared lib)
  17. 17. security is as much about what your function should do as well as what it shouldn’t do (protect against data exfiltration)
  18. 18. http://bit.ly/2gSHtay Broken Access Control Insecure Direct Object Reference Information Leakage GraphQL Injection
  19. 19. http://bit.ly/2uKhGXF
  20. 20. app dependencies is a attack surface BIGGER than you think
  21. 21. your dependencies
  22. 22. your dependencies transient dependencies
  23. 23. https://david-dm.org/request/request?view=tree
  24. 24. https://snyk.io
  25. 25. security updates are often bundled with unrelated feature and API changes
  26. 26. your security is as strong as its weakest link
  27. 27. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking runs on needs Source Code has maintains
  28. 28. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking needs runs on this is where an attacker will target in a movie Source Code has maintains
  29. 29. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application A9 Networking runs on needs Source Code has maintains A1, A3, …
  30. 30. people are often the WEAKEST link in the security chain
  31. 31. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application phishing… Networking runs on needs Source Code has maintains
  32. 32. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
  33. 33. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
  34. 34. http://bit.ly/2sFDwYX …obtained publish access to 14% of npm packages…
  35. 35. http://bit.ly/2sFDwYX debug, request, react, co, express, moment, gulp, mongoose, mysql, bower, browserify, electron, jasmine, cheerio, modernizr, redux, …
  36. 36. http://bit.ly/2sFDwYX total downloads/month of the unique packages which I got myself publish access to was 1 972 421 945, that’s 20% of the total number of d/m directly.
  37. 37. 20% of all monthly NPM downloads…
  38. 38. brute force known account leaks from other sources leaked NPM credentials (github, etc.)
  39. 39. http://bit.ly/2sFDwYX
  40. 40. http://bit.ly/2sFDwYX 662 users had password “123456” 172 — “123” 124 — “password”
  41. 41. WTF!?!?
  42. 42. oh god, that was too easy…
  43. 43. compromised package is a transient dependency sigh…
  44. 44. still “works”…
  45. 45. npmjs.com/~hacktask
  46. 46. rm -rf /!!!
  47. 47. NPM default - get latest “compatible” version, ie. 1.X.X
  48. 48. clean install (eg. on CI server) will download the latest, compromised package without any code change… NPM default - get latest “compatible” version, ie. 1.X.X
  49. 49. use npm shrinkwrap or upgrade to NPM 5 or above
  50. 50. use `npm ci` in CI environment
  51. 51. not specific to Node.js or NPM
  52. 52. the attackers are in…
  53. 53. the attackers are in… what now?
  54. 54. Shared Responsibility Model
  55. 55. who can invoke the function?
  56. 56. what can the function access?
  57. 57. Least Privilege Principle
  58. 58. everything here is trusted
  59. 59. sensitive data
  60. 60. http://bit.ly/2zHvbcB
  61. 61. always public access is controlled via IAM
  62. 62. https://www.puresec.io/function-shield
  63. 63. http://bit.ly/2lNInES
  64. 64. adds up to 10s to cold start!! http://bit.ly/2lNInES
  65. 65. compromised servers allow attacker to access all of your sensitive data!
  66. 66. implement authentication for internal APIs
  67. 67. use AWS_IAM authentication for internal APIs
  68. 68. minimise function’s access
  69. 69. requires developer discipline
  70. 70. AWS Lambda docs Write your Lambda function code in a stateless style, and ensure there is no affinity between your code and the underlying compute infrastructure. http://amzn.to/2jzLmkb
  71. 71. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery
  72. 72. secure sensitive data both at rest and in-transit
  73. 73. leverage server-side encryption
  74. 74. http://amzn.to/1N3Twb8
  75. 75. http://amzn.to/1xF41eX
  76. 76. http://amzn.to/2tgvFR2
  77. 77. https://amzn.to/2DaXFwA
  78. 78. Least Privilege Principle
  79. 79. Disposability is a virtue
  80. 80. AWS Lambda docs Delete old Lambda functions that you are no longer using. http://amzn.to/2jzLmkb
  81. 81. easier said than done…
  82. 82. identifying component ownership in a big IT organization is challenging
  83. 83. identifying ownership of individual functions is much harder
  84. 84. tag every function with Team name
  85. 85. source: http://www.digitalattackmap.com
  86. 86. more likely to scale through DoS attacks
  87. 87. DoS + per exec billing = Denial of Wallet problem
  88. 88. configure WAF rules on API Gateway and CloudFront
  89. 89. enable throttling
  90. 90. AWS Shield Advanced also gives you access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your ELB, CloudFront or Route 53 charges.
  91. 91. async sync S3 SNS SES CloudFormation CloudWatch Logs CloudWatch Events Scheduled Events CodeCommit AWS Config http://amzn.to/2vs2lIg Cognito Alexa Lex API Gateway pulling DynamoDB Stream Kinesis Stream SQS Lambda handles retries (twice, then DLQ)
  92. 92. http://bit.ly/2v7F2E4
  93. 93. DoS attack 2+ Retries+ ?
  94. 94. DoS attack Regex DoS attack long Lambda timeout 2+ Retries+ ?
  95. 95. avoid (unnecessary) long timeouts
  96. 96. alert on error count
  97. 97. Day 1
  98. 98. Day 2
  99. 99. no long-lived compromised servers
  100. 100. containers are reused, avoid sensitive data in /tmp
  101. 101. https://www.puresec.io/function-shield
  102. 102. no accidentally exposed directories
  103. 103. http://bit.ly/2tlGTbc
  104. 104. monitor activities in unused regions using CloudWatch Events
  105. 105. set up billing alarms in unused regions
  106. 106. watertight compartments that can contain water in the case of hull breach or other leaks
  107. 107. Michael Nygard
  108. 108. least privilege principle
  109. 109. per function policies
  110. 110. account level isolation
  111. 111. Recap
  112. 112. app dependencies is a attack surface BIGGER than you think
  113. 113. sanitise inputs and outputs
  114. 114. Least Privilege Principle
  115. 115. here’s your per function policy NEXT!
  116. 116. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery encrypt data at rest
  117. 117. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery and in-transit
  118. 118. delete unused functions.
  119. 119. DoS DoW* * Denial of Wallet
  120. 120. no server* no OS attacks no long lived compromised servers * I know I know, there’s still a server somewhere, but it’s managed and secured by AWS engineers who can do a much better job of it than most of us can; and the servers are ephemeral and short-lived
  121. 121. don’t be an unwilling bit miner
  122. 122. don’t be an unwilling bit miner safeguard your credentials…
  123. 123. prod dev compartmentalise breaches
  124. 124. people are often the WEAKEST link in the security chain
  125. 125. @theburningmonk theburningmonk.com github.com/theburningmonk

×