serverless security: doing security in 100 milliseconds
TRANSCRIPT
@W
ICK
ET
T
DOING SECURITY IN 100 MILLISECONDS
SERVERLESS SECURITY
@WICKETT
JAMES WICKETT
๏ Head of Research at Signal Sciences
๏ Author at Lynda/LinkedIn Training for DevOps Fundamentals course releasing in November
๏ Blogger at theagileadmin.com and labs.signalsciences.com
@WICKETT
DEVOPS ROADMAP FOR SECURITY
http://info.signalsciences.com/book
@WICKETT
๏ Web App Firewall for modern workloads
๏ Cloud-native and devops friendly
๏ Answer the questions: Am I being attacked right now? Are attackers becoming successful?
๏ We are hiring (Golang, appsec, devops)
@WICKETT
@WICKETT
@WICKETT
@WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
๏ New serverless patterns are just emerging
๏ Security with serverless is easier
๏ Security with serverless is harder
@WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline Security
๏ Data Flow Security
๏ Attack Detection
@WICKETT
WHAT IS SERVERLESS?
@WICKETT
MISCONCEPTIONS
@WICKETT
IT’S MARKETING (CLOUD REBRANDED)
@WICKETT
SERVERLESS == NO SERVERS
@WICKETT
SERVERLESS == CLOUD
@WICKETT
SERVERLESS == BACKEND AS A
SERVICE
@WICKETT
SERVERLESS == PLATFORM AS A
SERVICE
@WICKETT
@WICKETT
SO, WHAT IS SERVERLESS?
@WICKETT http://martinfowler.com/articles/serverless.html
@WICKETT
@MIKEBROBERTS
@WICKETT
Serverless was first used to describe applications that significantly or fully
depend on 3rd party applications / services (‘in
the cloud’) to manage server-side logic and
state.
http://martinfowler.com/articles/serverless.html
@WICKETT
Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is
run in stateless compute containers that are event-
triggered, ephemeral (may only last for one invocation), and fully
managed by a 3rd party.
http://martinfowler.com/articles/serverless.html
@WICKETT
HISTORY OF SERVERLESS๏ 2012 - used to describe BaaS and Continuous Integration
services run by third parties
๏ Late 2014 - AWS launched Lambda
๏ July 2015 - AWS launched API Gateway
๏ October 2015 - AWS re:Invent - The Serverless company using AWS Lambda
๏ 2015 to present - Frameworks forming
๏ 2016 - Serverless Conference
http://www.slideshare.net/AmazonWebServices/arc308-the-serverless-company-using-aws-lambda
@WICKETT
Client
Server
Database
Proxy/LB
ServerServer
@WICKETT
Client
Auth Service API Gateway
Database Service
Function A
Function B
Web Delivery
@WICKETT
@WICKETT
WHAT CAN WE SAY IS SERVERLESS?
@WICKETT
SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)
@WICKETT
BUT, BUT…CONTAINERS!
@WICKETT
CONTAINERS … ON DEMAND
@WICKETT
SERVERLESS IS (NO MANAGEMENT OF)
SERVERS
@WICKETT
SERVERLESS IS SERVICEFULL
@WICKETT
SERVERLESS IS AN OPINIONATED FRAMEWORK
FOR COMPUTE
@WICKETT
Serverless encourages functions as deploy units, coupled with third party
services that allow running end-to-end applications without worrying about
system operation.
@WICKETT
A SHORT HISTORY OF CLOUD
@WICKETT
VIRTUALIZATION
@WICKETT
“THE CLOUD”
@WICKETT
DEVOPS
@WICKETT
SaaS PaaS IaaS
@WICKETT
PRIVATE CLOUD
@WICKETT
THEN, ALONG CAME CONTAINERS
@WICKETT
CONTAINERS ARE TEH HAWTNESS
@WICKETT
\
@WICKETT
LOTS OF EFFORT IN CONTAINER
ORCHESTRATION
@WICKETT
THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL
BE TO CONTAINERS
@WICKETT
IF YOU WANT TO LEAD YOUR COMPANY BRAVELY INTO THE NEW WORLD, YOU WOULD DO WELL TO FOCUS LOT ON HOW
SERVERLESS WILL EVOLVE. - @CLOUDOPINION
https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
@WICKETT
Serverless encourages functions as deploy units, coupled with third party
services that allow running end-to-end applications without worrying about
system operation.
@WICKETT
SO, WHAT ARE THE UPSIDES?
@WICKETT
SCALING BUILT IN
@WICKETT
PAY FOR WHAT YOU USE IN 100MS INCREMENTS
@WICKETT
WITH SERVERLESS SYSTEM ADMINISTRATION
IS (MOSTLY) LOWER
@WICKETT
SERVERLESS IS IMPLICIT
MICROSERVICES
@WICKETT
SHORT CIRCUITS OPS AND MOVES
INFRASTRUCTURE RUNTIME CLOSER TO
DEVS
@WICKETT
YOU CAN SKIP CHEFFING DOCKERING
ALL THE THINGS!
@WICKETT
LEAN STARTUP FRIENDLY
@WICKETT
INCREASED VELOCITY
@WICKETT
GREAT, WHAT’S THE CATCH?
@WICKETT
OPS BURDEN TO RATIONALIZE
SERVERLESS MODEL (SPECIFICALLY DEPLOY)
@WICKETT
MONITORING
@WICKETT
LOGGING
@WICKETT
STATELESS FOR REAL NO MEMORY PERSISTENCE
ACROSS FUNCTION RUNS
@WICKETT
VENDOR LOCK-IN
@WICKETT
SECURITY
@WICKETT
RELIABILITY
@WICKETT
@WICKETT
SERVERLESS USE CASES
@WICKETT
IMAGE RESIZING
@WICKETT
QUEUE PROCESSING
http://martinfowler.com/articles/serverless.html
@WICKETT
RUN A WEB APPLICATION
@WICKETT
API GATEWAY
http://martinfowler.com/articles/serverless.html
@WICKETT
CI/CD
@WICKETT
LICENSING
@WICKETT
SECURITY IS THE SAME AND DIFFERENT
@WICKETT
EVERYTHING IS HTTP(S)
@WICKETT
WHAT USED TO BE SYSTEM CALLS IS
NOW DISTRIBUTED COMPUTING OVER
THE NETWORK
@WICKETT
SERVERLESS SHIFTS ATTACK SURFACE TO
THIRD PARTIES
@WICKETT
LETS TRY A SAMPLE APPLICATION IN AWS
@WICKETT
๏ Golang!
๏ AWS Lambda supports bring your own binary
๏ Sparta wraps your binary with node.js shim
@WICKETT
@WICKETT
OTHER OPTIONS
๏ Serverless Framework
๏ APEX
๏ Kappa
@WICKETT
WORDY๏ Analyzes textual
occurrences given a block of text, returns JSON count of words
๏ Calls API under the hood to get text
๏ It is comprised of Lambda, s3, API Gateway
@WICKETT
@WICKETT
@WICKETT
@WICKETT
go run main.go provision -s S3_BUCKET
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
@WICKETT
WHAT I LEARNED ABOUT SERVERLESS
SECURITY
@WICKETT
@WICKETT
FOUR AREAS OF SERVERLESS SECURITY
๏ Secure Software Supply Chain
๏ Delivery Pipeline
๏ Data Flow Security
๏ Attack Detection
@WICKETT
@WICKETT
SURFACE AREA REDUCTION!
@WICKETT
SURFACE AREA EXPANSION!
@WICKETT
SSL / TLS FROM THE PROVIDER
@WICKETT
DNS!
@WICKETT
LAMBDA + S3 + KINESIS + DYNAMODB + CLOUDFORMATION + API GATEWAY + AUTH0
@WICKETT
USE A THIRD-PARTY SERVICE FOR CONFIG
CHANGES
@WICKETT
ACCESS CONTROL
@WICKETT
DELIVERY PIPELINE SECURITY
@WICKETT
@WICKETT
UNIT TESTING
@WICKETT
@WICKETT
INTEGRATION TESTING
@WICKETT
CONFIGURATION IS PART OF DELIVERY
@WICKETT
PROVIDER SECURITY
๏ Disable root access keys
๏ Manage users with profiles
๏ Secure your keys in your deploy system
๏ Secure keys in dev system
๏ Use provider MFA
@WICKETT
SIMPLE DEPLOY PIPELINE SECURITY
๏ Only dev keys can push to ‘dev’
๏ Only build/deploy system can push to pre-prod
๏ Integration tests must pass in this env
๏ Security validation must take place
๏ Allow push to prod, only by deploy system
@WICKETT
SECURITY INTEGRATION TESTING
๏ BDD-Security - github.com/continuumsecurity/bdd-security
๏ Gauntlt - gauntlt.org
@WICKETT
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
@WICKETT
DATA FLOW SECURITY
๏ Development
๏ Data Flow Diagrams
๏ Threat modeling
๏ Runtime
@WICKETT
Application layer DoS
@WICKETT
TIMEOUTS AND EXECUTION
RESTRICTIONS
@WICKETT
HTTP / HTTPS
@WICKETT
ATTACK DETECTION
@WICKETT
DEVELOPMENT
๏ Normal OWASP tooling
๏ Language filtering and more
@WICKETT
APPSEC PROBLEMS
@WICKETT
DEFENSE
๏ Logging, emitting events
๏ Vandium (SQLi) wrapper
๏ Content Security Policy (CSP)
๏ More work needs to be done here…
@WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
๏ New serverless patterns are just emerging
๏ Security with serverless is easier
๏ Security with serverless is harder
@WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline Security
๏ Data Flow Security
๏ Attack Detection
@WICKETT
@WICKETT
LET’S TALK!
๏ @wickett
๏ http://info.signalsciences.com/book