Serverless Security: Doing Security in 100 milliseconds
9 likes3,860 views
The document discusses serverless security, emphasizing the advantages and challenges of serverless architectures. It outlines four key areas of focus for serverless security: software supply chain security, delivery pipeline security, data flow security, and attack detection. The content also highlights the evolving nature of serverless technology and its implications for security management.
Serverless Security: Doing Security in 100 milliseconds
- 1. @WICKETT DOING SECURITY IN 100 MILLISECONDS SERVERLESS SECURITY
- 2. @WICKETT JAMES WICKETT ๏ Head of Research at Signal Sciences ๏ Author at Lynda/LinkedIn Training for DevOps Fundamentals course releasing in November ๏ Blogger at theagileadmin.com and labs.signalsciences.com
- 4. @WICKETT ๏ Web App Firewall for modern workloads ๏ Cloud-native and devops friendly ๏ Answer the questions: Am I being attacked right now? Are attackers becoming successful? ๏ We are hiring (Golang, appsec, devops) @WICKETT
- 5. @WICKETT
- 6. @WICKETT
- 7. @WICKETT CONCLUSION ๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. ๏ New serverless patterns are just emerging ๏ Security with serverless is easier ๏ Security with serverless is harder
- 8. @WICKETT CONCLUSION (2) ๏ Four key areas apply to serverless security ๏ Software Supply Chain Security ๏ Delivery Pipeline Security ๏ Data Flow Security ๏ Attack Detection
- 14. @WICKETT SERVERLESS == BACKEND AS A SERVICE
- 15. @WICKETT SERVERLESS == PLATFORM AS A SERVICE
- 16. @WICKETT
- 20. @WICKETT Serverless was first used to describe applications that significantly or fully depend on 3rd party applications / services (‘in the cloud’) to manage server-side logic and state. http://martinfowler.com/articles/serverless.html
- 21. @WICKETT Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is run in stateless compute containers that are event- triggered, ephemeral (may only last for one invocation), and fully managed by a 3rd party. http://martinfowler.com/articles/serverless.html
- 22. @WICKETT HISTORY OF SERVERLESS ๏ 2012 - used to describe BaaS and Continuous Integration services run by third parties ๏ Late 2014 - AWS launched Lambda ๏ July 2015 - AWS launched API Gateway ๏ October 2015 - AWS re:Invent - The Serverless company using AWS Lambda ๏ 2015 to present - Frameworks forming ๏ 2016 - Serverless Conference http://www.slideshare.net/AmazonWebServices/arc308- the-serverless-company-using-aws-lambda
- 24. @WICKETT Client Auth Service API Gateway Database Service Function A Function B Web Delivery
- 25. @WICKETT
- 26. @WICKETT WHAT CAN WE SAY IS SERVERLESS?
- 27. @WICKETT SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)
- 30. @WICKETT SERVERLESS IS (NO MANAGEMENT OF) SERVERS
- 32. @WICKETT SERVERLESS IS AN OPINIONATED FRAMEWORK FOR COMPUTE
- 33. @WICKETT Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
- 34. @WICKETT A SHORT HISTORY OF CLOUD
- 37. @WICKETT DEVOPS
- 42. @WICKETT
- 43. @WICKETT LOTS OF EFFORT IN CONTAINER ORCHESTRATION
- 44. @WICKETT THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL BE TO CONTAINERS
- 45. @WICKETT IF YOU WANT TO LEAD YOUR COMPANY BRAVELY INTO THE NEW WORLD, YOU WOULD DO WELL TO FOCUS LOT ON HOW SERVERLESS WILL EVOLVE. - @CLOUDOPINION https://medium.com/@cloud_opinion/the-pattern-may- repeat-26de1e8b489d
- 46. @WICKETT Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
- 47. @WICKETT SO, WHAT ARE THE UPSIDES?
- 49. @WICKETT PAY FOR WHAT YOU USE IN 100MS INCREMENTS
- 50. @WICKETT WITH SERVERLESS SYSTEM ADMINISTRATION IS (MOSTLY) LOWER
- 52. @WICKETT SHORT CIRCUITS OPS AND MOVES INFRASTRUCTURE RUNTIME CLOSER TO DEVS
- 53. @WICKETT YOU CAN SKIP CHEFFING DOCKERING ALL THE THINGS!
- 57. @WICKETT OPS BURDEN TO RATIONALIZE SERVERLESS MODEL (SPECIFICALLY DEPLOY)
- 59. @WICKETT LOGGING
- 60. @WICKETT STATELESS FOR REAL NO MEMORY PERSISTENCE ACROSS FUNCTION RUNS
- 64. @WICKETT
- 70. @WICKETT CI/CD
- 72. @WICKETT SECURITY IS THE SAME AND DIFFERENT
- 74. @WICKETT WHAT USED TO BE SYSTEM CALLS IS NOW DISTRIBUTED COMPUTING OVER THE NETWORK
- 75. @WICKETT SERVERLESS SHIFTS ATTACK SURFACE TO THIRD PARTIES
- 76. @WICKETT LETS TRY A SAMPLE APPLICATION IN AWS
- 77. @WICKETT ๏ Golang! ๏ AWS Lambda supports bring your own binary ๏ Sparta wraps your binary with node.js shim
- 78. @WICKETT
- 79. @WICKETT OTHER OPTIONS ๏ Serverless Framework ๏ APEX ๏ Kappa
- 80. @WICKETT WORDY ๏ Analyzes textual occurrences given a block of text, returns JSON count of words ๏ Calls API under the hood to get text ๏ It is comprised of Lambda, s3, API Gateway
- 81. @WICKETT
- 82. @WICKETT
- 83. @WICKETT
- 84. @WICKETT go run main.go provision -s S3_BUCKET
- 85. @WICKETT
- 86. @WICKETT
- 87. @WICKETT
- 88. @WICKETT
- 89. @WICKETT
- 90. @WICKETT
- 91. @WICKETT
- 92. @WICKETT
- 93. @WICKETT
- 94. @WICKETT WHAT I LEARNED ABOUT SERVERLESS SECURITY
- 95. @WICKETT
- 96. @WICKETT FOUR AREAS OF SERVERLESS SECURITY ๏ Secure Software Supply Chain ๏ Delivery Pipeline ๏ Data Flow Security ๏ Attack Detection
- 97. @WICKETT
- 100. @WICKETT SSL / TLS FROM THE PROVIDER
- 101. @WICKETT DNS!
- 102. @WICKETT LAMBDA + S3 + KINESIS + DYNAMODB + CLOUDFORMATION + API GATEWAY + AUTH0
- 103. @WICKETT USE A THIRD-PARTY SERVICE FOR CONFIG CHANGES
- 106. @WICKETT
- 108. @WICKETT
- 110. @WICKETT CONFIGURATION IS PART OF DELIVERY
- 111. @WICKETT PROVIDER SECURITY ๏ Disable root access keys ๏ Manage users with profiles ๏ Secure your keys in your deploy system ๏ Secure keys in dev system ๏ Use provider MFA
- 112. @WICKETT SIMPLE DEPLOY PIPELINE SECURITY ๏ Only dev keys can push to ‘dev’ ๏ Only build/deploy system can push to pre- prod ๏ Integration tests must pass in this env ๏ Security validation must take place ๏ Allow push to prod, only by deploy system
- 113. @WICKETT SECURITY INTEGRATION TESTING ๏ BDD-Security - github.com/ continuumsecurity/bdd-security ๏ Gauntlt - gauntlt.org
- 115. @WICKETT DATA FLOW SECURITY ๏ Development ๏ Data Flow Diagrams ๏ Threat modeling ๏ Runtime
- 120. @WICKETT DEVELOPMENT ๏ Normal OWASP tooling ๏ Language filtering and more
- 122. @WICKETT DEFENSE ๏ Logging, emitting events ๏ Vandium (SQLi) wrapper ๏ Content Security Policy (CSP) ๏ More work needs to be done here…
- 123. @WICKETT CONCLUSION ๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. ๏ New serverless patterns are just emerging ๏ Security with serverless is easier ๏ Security with serverless is harder
- 124. @WICKETT CONCLUSION (2) ๏ Four key areas apply to serverless security ๏ Software Supply Chain Security ๏ Delivery Pipeline Security ๏ Data Flow Security ๏ Attack Detection
- 125. @WICKETT
- 126. @WICKETT LET’S TALK! ๏ james@signalsciences.com ๏ @wickett ๏ http://info.signalsciences.com/book