Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
@WICKETT
DOING SECURITY IN
100 MILLISECONDS
SERVERLESS
SECURITY
@WICKETT
JAMES WICKETT
๏ Head of Research at Signal
Sciences
๏ Author at Lynda/LinkedIn Training
for DevOps Fundamentals c...
@WICKETT
DEVOPS ROADMAP
FOR SECURITY
http://info.signalsciences.com/book
@WICKETT
๏ Web App Firewall for modern workloads
๏ Cloud-native and devops friendly
๏ Answer the questions: Am I being att...
@WICKETT
@WICKETT
@WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy
units, coupled with third party services
that allow runnin...
@WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline...
@WICKETT
WHAT IS
SERVERLESS?
@WICKETT
MISCONCEPTIONS
@WICKETT
IT’S MARKETING
(CLOUD REBRANDED)
@WICKETT
SERVERLESS ==
NO SERVERS
@WICKETT
SERVERLESS ==
CLOUD
@WICKETT
SERVERLESS ==
BACKEND AS A
SERVICE
@WICKETT
SERVERLESS ==
PLATFORM AS A
SERVICE
@WICKETT
@WICKETT
SO, WHAT IS
SERVERLESS?
@WICKETT http://martinfowler.com/articles/serverless.html
@WICKETT
@MIKEBROBERTS
@WICKETT
Serverless was first used
to describe applications
that significantly or fully
depend on 3rd party
applications /...
@WICKETT
Serverless can also mean
applications where some amount
of server-side logic is still written
by the application ...
@WICKETT
HISTORY OF SERVERLESS
๏ 2012 - used to describe BaaS and Continuous Integration
services run by third parties
๏ L...
@WICKETT
Client
Server
Database
Proxy/LB
Server
Server
@WICKETT
Client
Auth Service API Gateway
Database
Service
Function A
Function B
Web Delivery
@WICKETT
@WICKETT
WHAT CAN WE SAY
IS SERVERLESS?
@WICKETT
SERVERLESS IS
FUNCTIONS AS A
SERVICE (FaaS)
@WICKETT
BUT, BUT…
CONTAINERS!
@WICKETT
CONTAINERS …
ON DEMAND
@WICKETT
SERVERLESS IS
(NO MANAGEMENT OF)
SERVERS
@WICKETT
SERVERLESS IS
SERVICEFULL
@WICKETT
SERVERLESS IS AN
OPINIONATED FRAMEWORK
FOR COMPUTE
@WICKETT
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end ...
@WICKETT
A SHORT HISTORY
OF CLOUD
@WICKETT
VIRTUALIZATION
@WICKETT
“THE CLOUD”
@WICKETT
DEVOPS
@WICKETT
SaaS
PaaS
IaaS
@WICKETT
PRIVATE CLOUD
@WICKETT
THEN, ALONG
CAME CONTAINERS
@WICKETT
CONTAINERS ARE
TEH HAWTNESS
@WICKETT
@WICKETT
LOTS OF EFFORT IN
CONTAINER
ORCHESTRATION
@WICKETT
THE CLOUD WAS TO
VIRTUALIZATION AS
SERVERLESS WILL
BE TO CONTAINERS
@WICKETT
IF YOU WANT TO LEAD YOUR
COMPANY BRAVELY INTO THE
NEW WORLD, YOU WOULD DO
WELL TO FOCUS LOT ON HOW
SERVERLESS WIL...
@WICKETT
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end ...
@WICKETT
SO, WHAT ARE THE
UPSIDES?
@WICKETT
SCALING BUILT IN
@WICKETT
PAY FOR WHAT YOU
USE IN 100MS
INCREMENTS
@WICKETT
WITH SERVERLESS
SYSTEM ADMINISTRATION
IS (MOSTLY) LOWER
@WICKETT
SERVERLESS IS
IMPLICIT
MICROSERVICES
@WICKETT
SHORT CIRCUITS OPS
AND MOVES
INFRASTRUCTURE
RUNTIME CLOSER TO
DEVS
@WICKETT
YOU CAN SKIP
CHEFFING DOCKERING
ALL THE THINGS!
@WICKETT
LEAN STARTUP
FRIENDLY
@WICKETT
INCREASED
VELOCITY
@WICKETT
GREAT, WHAT’S
THE CATCH?
@WICKETT
OPS BURDEN TO
RATIONALIZE
SERVERLESS MODEL
(SPECIFICALLY DEPLOY)
@WICKETT
MONITORING
@WICKETT
LOGGING
@WICKETT
STATELESS FOR REAL NO
MEMORY PERSISTENCE
ACROSS FUNCTION RUNS
@WICKETT
VENDOR LOCK-IN
@WICKETT
SECURITY
@WICKETT
RELIABILITY
@WICKETT
@WICKETT
SERVERLESS USE
CASES
@WICKETT
IMAGE RESIZING
@WICKETT
QUEUE PROCESSING
http://martinfowler.com/articles/serverless.html
@WICKETT
RUN A WEB
APPLICATION
@WICKETT
API GATEWAY
http://martinfowler.com/articles/serverless.html
@WICKETT
CI/CD
@WICKETT
LICENSING
@WICKETT
SECURITY IS THE
SAME AND DIFFERENT
@WICKETT
EVERYTHING IS
HTTP(S)
@WICKETT
WHAT USED TO BE
SYSTEM CALLS IS
NOW DISTRIBUTED
COMPUTING OVER
THE NETWORK
@WICKETT
SERVERLESS SHIFTS
ATTACK SURFACE TO
THIRD PARTIES
@WICKETT
LETS TRY A SAMPLE
APPLICATION IN AWS
@WICKETT
๏ Golang!
๏ AWS Lambda supports bring your own
binary
๏ Sparta wraps your binary with node.js shim
@WICKETT
@WICKETT
OTHER OPTIONS
๏ Serverless Framework
๏ APEX
๏ Kappa
@WICKETT
WORDY
๏ Analyzes textual
occurrences given a block
of text, returns JSON
count of words
๏ Calls API under the hoo...
@WICKETT
@WICKETT
@WICKETT
@WICKETT
go run main.go provision -s S3_BUCKET
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
WHAT I LEARNED
ABOUT SERVERLESS
SECURITY
@WICKETT
@WICKETT
FOUR AREAS OF
SERVERLESS SECURITY
๏ Secure Software Supply Chain
๏ Delivery Pipeline
๏ Data Flow Security
๏ Attac...
@WICKETT
@WICKETT
SURFACE AREA
REDUCTION!
@WICKETT
SURFACE AREA
EXPANSION!
@WICKETT
SSL / TLS FROM
THE PROVIDER
@WICKETT
DNS!
@WICKETT
LAMBDA + S3 +
KINESIS + DYNAMODB
+ CLOUDFORMATION +
API GATEWAY + AUTH0
@WICKETT
USE A THIRD-PARTY
SERVICE FOR CONFIG
CHANGES
@WICKETT
ACCESS CONTROL
@WICKETT
DELIVERY PIPELINE
SECURITY
@WICKETT
@WICKETT
UNIT TESTING
@WICKETT
@WICKETT
INTEGRATION
TESTING
@WICKETT
CONFIGURATION IS
PART OF DELIVERY
@WICKETT
PROVIDER SECURITY
๏ Disable root access keys
๏ Manage users with profiles
๏ Secure your keys in your deploy syste...
@WICKETT
SIMPLE DEPLOY
PIPELINE SECURITY
๏ Only dev keys can push to ‘dev’
๏ Only build/deploy system can push to pre-
pro...
@WICKETT
SECURITY INTEGRATION
TESTING
๏ BDD-Security - github.com/
continuumsecurity/bdd-security
๏ Gauntlt - gauntlt.org
@WICKETT
http://www.slideshare.net/wickett/pragmatic-security-and-
rugged-devops-sxsw-2015
@WICKETT
DATA FLOW
SECURITY
๏ Development
๏ Data Flow
Diagrams
๏ Threat modeling
๏ Runtime
@WICKETT
Application layer
DoS
@WICKETT
TIMEOUTS AND
EXECUTION
RESTRICTIONS
@WICKETT
HTTP / HTTPS
@WICKETT
ATTACK
DETECTION
@WICKETT
DEVELOPMENT
๏ Normal OWASP tooling
๏ Language filtering and more
@WICKETT
APPSEC PROBLEMS
@WICKETT
DEFENSE
๏ Logging, emitting events
๏ Vandium (SQLi) wrapper
๏ Content Security Policy (CSP)
๏ More work needs to ...
@WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy
units, coupled with third party services
that allow runnin...
@WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline...
@WICKETT
@WICKETT
LET’S TALK!
๏ james@signalsciences.com
๏ @wickett
๏ http://info.signalsciences.com/book
Upcoming SlideShare
Loading in …5
×

Serverless Security: Doing Security in 100 milliseconds

3,188 views

Published on

Talk on serverless security with a brief history of cloud, containers and now serverless. This talk also features serverless patterns, and security considerations needed in this new environment. This talk was given at AppSecUSA 2016.

Published in: Technology

Serverless Security: Doing Security in 100 milliseconds

  1. 1. @WICKETT DOING SECURITY IN 100 MILLISECONDS SERVERLESS SECURITY
  2. 2. @WICKETT JAMES WICKETT ๏ Head of Research at Signal Sciences ๏ Author at Lynda/LinkedIn Training for DevOps Fundamentals course releasing in November ๏ Blogger at theagileadmin.com and labs.signalsciences.com
  3. 3. @WICKETT DEVOPS ROADMAP FOR SECURITY http://info.signalsciences.com/book
  4. 4. @WICKETT ๏ Web App Firewall for modern workloads ๏ Cloud-native and devops friendly ๏ Answer the questions: Am I being attacked right now? Are attackers becoming successful? ๏ We are hiring (Golang, appsec, devops) @WICKETT
  5. 5. @WICKETT
  6. 6. @WICKETT
  7. 7. @WICKETT CONCLUSION ๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. ๏ New serverless patterns are just emerging ๏ Security with serverless is easier ๏ Security with serverless is harder
  8. 8. @WICKETT CONCLUSION (2) ๏ Four key areas apply to serverless security ๏ Software Supply Chain Security ๏ Delivery Pipeline Security ๏ Data Flow Security ๏ Attack Detection
  9. 9. @WICKETT WHAT IS SERVERLESS?
  10. 10. @WICKETT MISCONCEPTIONS
  11. 11. @WICKETT IT’S MARKETING (CLOUD REBRANDED)
  12. 12. @WICKETT SERVERLESS == NO SERVERS
  13. 13. @WICKETT SERVERLESS == CLOUD
  14. 14. @WICKETT SERVERLESS == BACKEND AS A SERVICE
  15. 15. @WICKETT SERVERLESS == PLATFORM AS A SERVICE
  16. 16. @WICKETT
  17. 17. @WICKETT SO, WHAT IS SERVERLESS?
  18. 18. @WICKETT http://martinfowler.com/articles/serverless.html
  19. 19. @WICKETT @MIKEBROBERTS
  20. 20. @WICKETT Serverless was first used to describe applications that significantly or fully depend on 3rd party applications / services (‘in the cloud’) to manage server-side logic and state. http://martinfowler.com/articles/serverless.html
  21. 21. @WICKETT Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is run in stateless compute containers that are event- triggered, ephemeral (may only last for one invocation), and fully managed by a 3rd party. http://martinfowler.com/articles/serverless.html
  22. 22. @WICKETT HISTORY OF SERVERLESS ๏ 2012 - used to describe BaaS and Continuous Integration services run by third parties ๏ Late 2014 - AWS launched Lambda ๏ July 2015 - AWS launched API Gateway ๏ October 2015 - AWS re:Invent - The Serverless company using AWS Lambda ๏ 2015 to present - Frameworks forming ๏ 2016 - Serverless Conference http://www.slideshare.net/AmazonWebServices/arc308- the-serverless-company-using-aws-lambda
  23. 23. @WICKETT Client Server Database Proxy/LB Server Server
  24. 24. @WICKETT Client Auth Service API Gateway Database Service Function A Function B Web Delivery
  25. 25. @WICKETT
  26. 26. @WICKETT WHAT CAN WE SAY IS SERVERLESS?
  27. 27. @WICKETT SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)
  28. 28. @WICKETT BUT, BUT… CONTAINERS!
  29. 29. @WICKETT CONTAINERS … ON DEMAND
  30. 30. @WICKETT SERVERLESS IS (NO MANAGEMENT OF) SERVERS
  31. 31. @WICKETT SERVERLESS IS SERVICEFULL
  32. 32. @WICKETT SERVERLESS IS AN OPINIONATED FRAMEWORK FOR COMPUTE
  33. 33. @WICKETT Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
  34. 34. @WICKETT A SHORT HISTORY OF CLOUD
  35. 35. @WICKETT VIRTUALIZATION
  36. 36. @WICKETT “THE CLOUD”
  37. 37. @WICKETT DEVOPS
  38. 38. @WICKETT SaaS PaaS IaaS
  39. 39. @WICKETT PRIVATE CLOUD
  40. 40. @WICKETT THEN, ALONG CAME CONTAINERS
  41. 41. @WICKETT CONTAINERS ARE TEH HAWTNESS
  42. 42. @WICKETT
  43. 43. @WICKETT LOTS OF EFFORT IN CONTAINER ORCHESTRATION
  44. 44. @WICKETT THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL BE TO CONTAINERS
  45. 45. @WICKETT IF YOU WANT TO LEAD YOUR COMPANY BRAVELY INTO THE NEW WORLD, YOU WOULD DO WELL TO FOCUS LOT ON HOW SERVERLESS WILL EVOLVE. - @CLOUDOPINION https://medium.com/@cloud_opinion/the-pattern-may- repeat-26de1e8b489d
  46. 46. @WICKETT Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
  47. 47. @WICKETT SO, WHAT ARE THE UPSIDES?
  48. 48. @WICKETT SCALING BUILT IN
  49. 49. @WICKETT PAY FOR WHAT YOU USE IN 100MS INCREMENTS
  50. 50. @WICKETT WITH SERVERLESS SYSTEM ADMINISTRATION IS (MOSTLY) LOWER
  51. 51. @WICKETT SERVERLESS IS IMPLICIT MICROSERVICES
  52. 52. @WICKETT SHORT CIRCUITS OPS AND MOVES INFRASTRUCTURE RUNTIME CLOSER TO DEVS
  53. 53. @WICKETT YOU CAN SKIP CHEFFING DOCKERING ALL THE THINGS!
  54. 54. @WICKETT LEAN STARTUP FRIENDLY
  55. 55. @WICKETT INCREASED VELOCITY
  56. 56. @WICKETT GREAT, WHAT’S THE CATCH?
  57. 57. @WICKETT OPS BURDEN TO RATIONALIZE SERVERLESS MODEL (SPECIFICALLY DEPLOY)
  58. 58. @WICKETT MONITORING
  59. 59. @WICKETT LOGGING
  60. 60. @WICKETT STATELESS FOR REAL NO MEMORY PERSISTENCE ACROSS FUNCTION RUNS
  61. 61. @WICKETT VENDOR LOCK-IN
  62. 62. @WICKETT SECURITY
  63. 63. @WICKETT RELIABILITY
  64. 64. @WICKETT
  65. 65. @WICKETT SERVERLESS USE CASES
  66. 66. @WICKETT IMAGE RESIZING
  67. 67. @WICKETT QUEUE PROCESSING http://martinfowler.com/articles/serverless.html
  68. 68. @WICKETT RUN A WEB APPLICATION
  69. 69. @WICKETT API GATEWAY http://martinfowler.com/articles/serverless.html
  70. 70. @WICKETT CI/CD
  71. 71. @WICKETT LICENSING
  72. 72. @WICKETT SECURITY IS THE SAME AND DIFFERENT
  73. 73. @WICKETT EVERYTHING IS HTTP(S)
  74. 74. @WICKETT WHAT USED TO BE SYSTEM CALLS IS NOW DISTRIBUTED COMPUTING OVER THE NETWORK
  75. 75. @WICKETT SERVERLESS SHIFTS ATTACK SURFACE TO THIRD PARTIES
  76. 76. @WICKETT LETS TRY A SAMPLE APPLICATION IN AWS
  77. 77. @WICKETT ๏ Golang! ๏ AWS Lambda supports bring your own binary ๏ Sparta wraps your binary with node.js shim
  78. 78. @WICKETT
  79. 79. @WICKETT OTHER OPTIONS ๏ Serverless Framework ๏ APEX ๏ Kappa
  80. 80. @WICKETT WORDY ๏ Analyzes textual occurrences given a block of text, returns JSON count of words ๏ Calls API under the hood to get text ๏ It is comprised of Lambda, s3, API Gateway
  81. 81. @WICKETT
  82. 82. @WICKETT
  83. 83. @WICKETT
  84. 84. @WICKETT go run main.go provision -s S3_BUCKET
  85. 85. @WICKETT
  86. 86. @WICKETT
  87. 87. @WICKETT
  88. 88. @WICKETT
  89. 89. @WICKETT
  90. 90. @WICKETT
  91. 91. @WICKETT
  92. 92. @WICKETT
  93. 93. @WICKETT
  94. 94. @WICKETT WHAT I LEARNED ABOUT SERVERLESS SECURITY
  95. 95. @WICKETT
  96. 96. @WICKETT FOUR AREAS OF SERVERLESS SECURITY ๏ Secure Software Supply Chain ๏ Delivery Pipeline ๏ Data Flow Security ๏ Attack Detection
  97. 97. @WICKETT
  98. 98. @WICKETT SURFACE AREA REDUCTION!
  99. 99. @WICKETT SURFACE AREA EXPANSION!
  100. 100. @WICKETT SSL / TLS FROM THE PROVIDER
  101. 101. @WICKETT DNS!
  102. 102. @WICKETT LAMBDA + S3 + KINESIS + DYNAMODB + CLOUDFORMATION + API GATEWAY + AUTH0
  103. 103. @WICKETT USE A THIRD-PARTY SERVICE FOR CONFIG CHANGES
  104. 104. @WICKETT ACCESS CONTROL
  105. 105. @WICKETT DELIVERY PIPELINE SECURITY
  106. 106. @WICKETT
  107. 107. @WICKETT UNIT TESTING
  108. 108. @WICKETT
  109. 109. @WICKETT INTEGRATION TESTING
  110. 110. @WICKETT CONFIGURATION IS PART OF DELIVERY
  111. 111. @WICKETT PROVIDER SECURITY ๏ Disable root access keys ๏ Manage users with profiles ๏ Secure your keys in your deploy system ๏ Secure keys in dev system ๏ Use provider MFA
  112. 112. @WICKETT SIMPLE DEPLOY PIPELINE SECURITY ๏ Only dev keys can push to ‘dev’ ๏ Only build/deploy system can push to pre- prod ๏ Integration tests must pass in this env ๏ Security validation must take place ๏ Allow push to prod, only by deploy system
  113. 113. @WICKETT SECURITY INTEGRATION TESTING ๏ BDD-Security - github.com/ continuumsecurity/bdd-security ๏ Gauntlt - gauntlt.org
  114. 114. @WICKETT http://www.slideshare.net/wickett/pragmatic-security-and- rugged-devops-sxsw-2015
  115. 115. @WICKETT DATA FLOW SECURITY ๏ Development ๏ Data Flow Diagrams ๏ Threat modeling ๏ Runtime
  116. 116. @WICKETT Application layer DoS
  117. 117. @WICKETT TIMEOUTS AND EXECUTION RESTRICTIONS
  118. 118. @WICKETT HTTP / HTTPS
  119. 119. @WICKETT ATTACK DETECTION
  120. 120. @WICKETT DEVELOPMENT ๏ Normal OWASP tooling ๏ Language filtering and more
  121. 121. @WICKETT APPSEC PROBLEMS
  122. 122. @WICKETT DEFENSE ๏ Logging, emitting events ๏ Vandium (SQLi) wrapper ๏ Content Security Policy (CSP) ๏ More work needs to be done here…
  123. 123. @WICKETT CONCLUSION ๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. ๏ New serverless patterns are just emerging ๏ Security with serverless is easier ๏ Security with serverless is harder
  124. 124. @WICKETT CONCLUSION (2) ๏ Four key areas apply to serverless security ๏ Software Supply Chain Security ๏ Delivery Pipeline Security ๏ Data Flow Security ๏ Attack Detection
  125. 125. @WICKETT
  126. 126. @WICKETT LET’S TALK! ๏ james@signalsciences.com ๏ @wickett ๏ http://info.signalsciences.com/book

×