has your security? your apps have gone serverless. rochester …€¦ · your apps have gone...

Tal MelamedHead of Security ResearchProtego Labs

Your Apps Have Gone Serverless.Has Your Security?

Rochester Security Summit 2018

2

w w w . p r o t e g o . i o

Follow me @

3

AgendaHousekeeping

What is Serverless?Is serverless security any different?

New Security ChallengesDemo

Top 10 Security RisksWrap-Up

4

www.hackerhalted.com 5

The Evolution of the Cloud

6

Serverless Basics

7

Why Does Serverless Security Any Different?

8

Gap Analysis

9

No ServersNo Perimeter

More ComplexityHigh Velocity

No Servers!Fine Grained

TransparencyEphemeral

10

Cons Pros

Top 10 - Candidates

11

Challenge

12

13

var s3 = new AWS.S3({apiVersion: '2006-03-01'});var params = {Bucket: 'myBucket', Key: imageFileName};var file = require('fs').createWriteStream('/tmp/file.jpg');s3.getObject(params).createReadStream().pipe(file);

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::*"] }]}

Security???

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::myBucket/*"] }]}

Of course I care about security

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource":["arn:aws:s3:::myBucket/*"] }]}

Least privilege*

Security Posture

14

15

Challenge

16

17

Security Observability

18

19

Challenge

20

21

Before After

Application Security

22

23

Demo: SlackAttack

24

25

The Setup

#1: Validate the Vulnerablity

26

#2: Extract the source code

#3: Read Environment Vars

#4: Impersonate the Function

#5: Steal Some Stuff

Attack Steps

27

Event InjectionVulnerable Dependencies

Open ResourcesOver-Privileged Functions

Sensitive Data ExposureDoW / DoS

Execution Flow ManipulationInsecure Shared Space

Insufficient Logging & MonitoringInsecure Secret Management

What can we do about it?

28

29

www.protego.io/blog

OWASP Serverless Top 10https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project

30

Get Involved

Get Going!

31

32

Thanks!

Tal Melamed

talm@protego.io

@_nu11p0inter

www.protego.io

@ProtegoLabs

Any questions?