Security in serverless world
2 likes1,455 views
The document discusses security challenges in serverless architectures, emphasizing the shared responsibility model and the importance of securing application dependencies, which can represent a significant attack surface. It highlights common vulnerabilities such as insecure direct object references and the need for developers to implement proper access controls and sanitization practices. Additionally, it advises on leveraging AWS services for data encryption and monitoring to mitigate risks associated with serverless functions.
Security in serverless world
- 1. Security in the Serverless World
- 2. Yan Cui http://theburningmonk.com @theburningmonk Principal Engineer @ Independent Consultant
- 4. We’re hiring! Visit engineering.dazn.com to learn more. follow @dazneng for updates about the engineering team
- 5. follow @dazneng for updates about the engineering team We’re hiring! Visit engineering.dazn.com to learn more. WE’RE HIRING!
- 6. AWS user since 2009
- 10. protection from OS attacks Amazon automatically apply latest patches to host VMs
- 13. still have to patch your code vulnerable code, 3rd party dependencies, etc.
- 16. https://snyk.io/blog/owasp-top-10-breaches Known Vulnerable Components cause 24% of the top 50 data breaches
- 23. sanitise inputs & outputs (standardise and encapsulate into shared lib)
- 25. http://bit.ly/2gSHtay Broken Access Control Insecure Direct Object Reference Information Leakage GraphQL Injection
- 28. app dependencies is a attack surface BIGGER than you think
- 34. security updates are often bundled with unrelated feature and API changes
- 35. your security is as strong as its weakest link
- 36. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking runs on needs Source Code has maintains
- 37. OS Application Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Networking needs runs on this is where an attacker will target in a movie Source Code has maintains
- 40. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application A9 Networking runs on needs Source Code has maintains A1, A3, …
- 41. people are often the WEAKEST link in the security chain
- 43. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application phishing… Networking runs on needs Source Code has maintains
- 44. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
- 45. OS Dependencies physical infrastructure NPM Authors Container runs in runs in runs in has hosted by published by pushes to Developers develops uses Users guardsprotects Application brute force, known account leaks, … Networking runs on needs Source Code has maintains
- 46. http://bit.ly/2sFDwYX …obtained publish access to 14% of npm packages…
- 47. http://bit.ly/2sFDwYX debug, request, react, co, express, moment, gulp, mongoose, mysql, bower, browserify, electron, jasmine, cheerio, modernizr, redux, …
- 48. http://bit.ly/2sFDwYX total downloads/month of the unique packages which I got myself publish access to was 1 972 421 945, that’s 20% of the total number of d/m directly.
- 49. 20% of all monthly NPM downloads…
- 50. brute force known account leaks from other sources leaked NPM credentials (github, etc.)
- 52. http://bit.ly/2sFDwYX 662 users had password “123456” 172 — “123” 124 — “password”
- 55. WTF!?!?
- 60. oh god, that was too easy…
- 63. compromised package is a transient dependency sigh…
- 64. still “works”…
- 69. rm -rf /!!!
- 71. NPM default - get latest “compatible” version, ie. 1.X.X
- 72. clean install (eg. on CI server) will download the latest, compromised package without any code change… NPM default - get latest “compatible” version, ie. 1.X.X
- 74. use npm shrinkwrap or upgrade to NPM 5 or above
- 75. not specific to Node.js or NPM
- 76. the attackers are in…
- 77. the attackers are in… what now?
- 79. who can invoke the function?
- 80. what can the function access?
- 85. sensitive data
- 87. always public access is controlled via IAM
- 93. adds up to 10s to cold start!! http://bit.ly/2lNInES
- 94. compromised servers allow attacker to access all of your sensitive data!
- 106. AWS Lambda docs Write your Lambda function code in a stateless style, and ensure there is no affinity between your code and the underlying compute infrastructure. http://amzn.to/2jzLmkb
- 108. secure sensitive data both at rest and in-transit
- 115. Disposability is a virtue
- 116. AWS Lambda docs Delete old Lambda functions that you are no longer using. http://amzn.to/2jzLmkb
- 117. easier said than done…
- 118. identifying component ownership in a big IT organization is challenging
- 119. identifying ownership of individual functions is much harder
- 121. more likely to scale through DoS attacks
- 122. DoS + per exec billing = Denial of Wallet problem
- 123. have to choose between a DoS and a DoW problem…
- 125. AWS Shield Advanced also gives you access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your ELB, CloudFront or Route 53 charges.
- 126. async sync S3 SNS SES CloudFormation CloudWatch Logs CloudWatch Events Scheduled Events CodeCommit AWS Config http://amzn.to/2vs2lIg Cognito Alexa Lex API Gateway pulling DynamoDB Stream Kinesis Stream SQS Lambda handles retries (twice, then DLQ)
- 129. DoS attack Regex DoS attack long Lambda timeout 2+ Retries+ ?
- 131. Day 1
- 132. Day 2
- 134. no long-lived compromised servers
- 135. containers are reused, avoid sensitive data in /tmp
- 140. no accidentally exposed directories
- 145. monitor activities in unused regions using CloudWatch Events
- 147. set up billing alarms in unused regions
- 148. watertight compartments that can contain water in the case of hull breach or other leaks
- 149. Michael Nygard
- 153. Recap
- 154. app dependencies is a attack surface BIGGER than you think
- 156. sanitise inputs and outputs
- 158. here’s your per function policy NEXT!
- 159. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery encrypt data at rest
- 160. S3 AWS IoT DynamoDB RDS EventStore Elasticsearch Couchbase Redshift Neo4j Google BigQuery and in-transit
- 162. DoS DoW* * Denial of Wallet
- 166. no server* no OS attacks no long lived compromised servers * I know I know, there’s still a server somewhere, but it’s managed and secured by AWS engineers who can do a much better job of it than most of us can; and the servers are ephemeral and short-lived
- 167. don’t be an unwilling bit miner
- 168. don’t be an unwilling bit miner safeguard your credentials…
- 170. people are often the WEAKEST link in the security chain