Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Serverless Security

Niko Köbler
September 06, 2018
Technology
0
180

Serverless Security

Niko Köbler

September 06, 2018
Tweet

More Decks by Niko Köbler

See All by Niko Köbler
FIDO Passkeys - The Future without Passwords!
dasniko
0
12
OAuth2, OIDC & JWT - Important Basics!
dasniko
0
54
Authentication in Web, API-based & Distributed Environments
dasniko
0
66
Cloud Native Serverless Java with Quarkus & GraalVM on AWS Lambda
dasniko
0
110
Serverless! But Multi-Cloud?
dasniko
0
110
Containers vs. Serverless 2019
dasniko
1
120
How Do You Authenticate..?
dasniko
1
95
Containers vs. Serverless
dasniko
2
350
Serverless code-build-run pipelines
dasniko
0
50

Other Decks in Technology

See All in Technology
Vault Secrets Operator と Dynamic Secrets で安全にシークレットを使おう / Vault Secrets Operator and Dynamic Secrets
nnstt1
2
290
ABEMAのRenderScript Intrinsics Replacement Toolkit 導入事例
takahana
0
240
『AWSではじめるクラウドセキュリティ』の裏側を。
ryohatanmonolog
2
200
microCMSのエンジニア組織と文化
microcms
0
190
「XIAOGYAN」への想い
matsujirushi
0
150
AI in Action
charmichokshi
0
170
Oracle Database Technology Night #67 Oracle Database High Availability concept
oracle4engineer
PRO
0
510
株式会社オプティム_採用会社紹介資料 / optim-recruit
optim
0
9.5k
ジェネレーティブAI実践入門/20230524
yoshidashingo
5
2.6k
LLMの普及による機械学習の民主化とMLPdMの重要性 / democratization-of-ml-and-importance-of-mlpdm-by-llm
yuya4
2
1.9k
cgroup の歩き方 / TechFeed Experts Night #19
tenforward
0
230
20230525_経営者・マーケティング担当必見!ChatGPTがもたらすマーケティング革命(45min版)_v1.02_共有用・後半パート.pdf
doradora09
0
160

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
The Mythical Team-Month
searls
211
41k
It's Worth the Effort
3n
179
26k
YesSQL, Process and Tooling at Scale
rocio
158
13k
The Invisible Customer
myddelton
113
12k
Faster Mobile Websites
deanohume
296
29k
Designing Experiences People Love
moore
130
22k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
7
990
Code Reviewing Like a Champion
maltzj
508
38k
GraphQLとの向き合い方2022年版
quramy
23
11k
GraphQLの誤解/rethinking-graphql
sonatard
41
8.2k
WebSockets: Embracing the real-time Web
robhawkes
58
6.2k

Transcript

  1. SERVERLESS SECURITY
    SICHER OHNE SERVER !?
    NIKO KÖBLER (@DASNIKO)

    View Slide

  2. ABOUT ME
    ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de
    ▸ Doing stuff with & without computers, writing Software, ~ 20 yrs
    ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA)
    ▸ Speaker at international Tech Conferences
    ▸ Author of „Serverless Computing in AWS Cloud“

    serverlessbuch.de
    ▸ Twitter: @dasniko
    SERVERLESS SECURITY

    View Slide

  3. NO SERVER
    NO CRY!?
    EPIC SONGS OF WORLD HISTORY:

    View Slide

  4. CLOUD
    FOCUS ON
    CREATING BUSINESS VALUE
    NOT ON
    MANAGING INFRASTRUCTURE

    View Slide

  5. SERVERLESS
    FOCUS ON
    CREATING BUSINESS VALUE
    NOT ON
    MANAGING INFRASTRUCTURE

    View Slide

  6. THE GOOD NEWS FIRST:
    SERVERLESS DOESN’T
    CREATE NEW SECURITY
    FLAWS!

    View Slide

  7. OK, WE ARE DONE!
    ¯\_(ツ)_/¯
    (RIGHT?)

    View Slide

  8. SERVERLESS SECURITY
    PATCHING
    OPERATING SYSTEM

    View Slide

  9. PATCHING
    https://twitter.com/samnewman/status/952610105169793025

    View Slide

  10. YOUR FUNCTION RUNNING IN
    A JVM PACKED INTO DOCKER
    DEPLOYED TO KUBERNETES
    ON TOP OF DC/OS MANAGED
    BY MESOS INSTALLED ON
    V I R T U A L M A C H I N E S
    C O N T R O L L E D B Y A
    HYPERVISOR RUNNING ON
    BARE METAL.
    Photo by Michael Johansson (http://www.michaeljohansson.com)
    …and I’m sure, I forgot a few layers!

    View Slide

  11. PATCHING
    https://twitter.com/samnewman/status/952610105169793025
    https://twitter.com/ajaynairthinks/status/949107242703319040

    View Slide

  12. https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

    View Slide

  13. https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

    View Slide

  14. https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

    View Slide

  15. https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

    View Slide

  16. SERVERLESS SECURITY

    View Slide

  17. FAAS ON CONTAINERS…
    ▸OpenFaaS
    ▸Fn Project
    ▸OpenWhisk
    ▸Knative
    SERVERLESS SECURITY
    ▸Fission
    ▸Kubeless
    ▸…and probably many,
    many more!

    View Slide

  18. OPERATIONAL OVERHEAD, E.G. FN PROJECT
    from: https://github.com/fnproject/fn/blob/master/docs/operating/production.md
    SERVERLESS SECURITY

    View Slide

  19. CONTAINERS OFFER GREAT POWER, BUT
    THEY ALSO DEMAND OPERATIONAL
    RESPONSIBILITY!
    Daniel Bryant
    SERVERLESS SECURITY

    View Slide

  20. SERVERLESS SECURITY
    SERVERLESS

    IS A STEP IN THE

    RIGHT DIRECTION OF PATCHING
    AND MANAGING UNDERLYING
    INFRASTRUCTURE

    View Slide

  21. SERVERLESS SECURITY
    APPLICATION
    CODE

    View Slide

  22. APPLICATION SECURITY
    ▸Write GOOD Code
    ▸ and DELETE old and unused code and functions!
    ▸Do Quality Assurance, Reviews, Static Analysis, etc.
    ▸Avoid side-effects (aka: write pure functions)
    ▸ Don’t make a function as broad as possible,

    make it do exactly 1 thing!
    ▸ But: more functions - more problems!
    SERVERLESS SECURITY

    View Slide

  23. APPLICATION SECURITY
    ▸OWASP Top10 is more important than ever!
    ▸ SQL Injection
    ▸ Cross Site Scripting
    ▸ Remote Command Execution
    ▸ Cross Site Request Forgery
    ▸ Bad auth logic
    ▸ etc.
    SERVERLESS SECURITY

    View Slide

  24. APPLICATION SECURITY
    ▸Writing less code doesn’t produce less errors!
    ▸ For majority of functions, „code“ is dependencies!
    ▸ 3rd party code can hold vulnerabilities just like 1st party code
    ▸ Most of the people who write libraries/packages aren’t very
    good at security!
    SERVERLESS SECURITY

    View Slide

  25. EXAMPLE: LINES OF CODE AND DEPENDENCIES
    SERVERLESS SECURITY
    19 Lines of Code
    2 direct dependencies
    19 dependencies

    (incl. indirect)
    191.155 Lines of Code
    Source: https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3

    View Slide

  26. BEWARE OF THIRD-PARTY PACKAGES
    ▸a.k.a. „Dependency Vulnerabilities“
    ▸Unclear transitive dependencies
    ▸More code = more vulnerabilities
    ▸On time, dependencies grow stale & vulnerable
    ▸It’s easy to scan GitHub for serverless projects with
    compromised/affected dependencies and run attacks against
    them
    SERVERLESS SECURITY

    View Slide

  27. THREAT MODELING
    ▸Do proper Threat Modeling

    Data Input, Parsing, Validation, Patterns, Flows,
    Transformations, etc.
    ▸„Legacy“ (Traditional) Security Solutions won’t fit for
    serverless applications, as they are deployed to the
    infrastructure (which you no longer control)
    SERVERLESS SECURITY

    View Slide

  28. PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY)
    ▸Every module must be able to access only the
    information and resources that are necessary for its
    legitimate purpose. (https://en.wikipedia.org/wiki/Principle_of_least_privilege)
    ▸IAM Roles/Policies:
    ▸ Make sure you only assign permissions that your
    functions really MUST have!
    ▸ Who is allowed to invoke / access a function?
    SERVERLESS SECURITY

    View Slide

  29. PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY)
    ▸Secure every function independently!
    ▸No things like:

    Action:

    - sns:*

    Resource: *
    SERVERLESS SECURITY

    View Slide

  30. PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY)
    SERVERLESS SECURITY
    From: Serverless Security: What’s Left To Protect - Guy Podjarny (snyk.io): https://www.youtube.com/watch?v=CiyUD_rI8D8

    View Slide

  31. SERVERLESS SECURITY
    FUNCTIONS & PERMISSIONS:
    THEY ARE EASY TO ADD
    BUT HARD TO REMOVE!

    View Slide

  32. LOGGING & MONITORING
    ▸You’ll need logs, b/c your system is more distributed than ever
    ▸ Logins (successful/failed)
    ▸ Account modifications
    ▸ Database interactions
    ▸ Financial transactions
    ▸Write GOOD (meaningful) logs and DO something with the
    information (it’s not just „data“)
    ▸Capture USEFUL error messages, not just

    500: an unexpected extraordinary error occured
    SERVERLESS SECURITY

    View Slide

  33. IDENTITY & ACCESS CONTROL (AUTH-N & AUTH-Z)
    ▸Access should be a Privilege, not a Right!
    ▸Learn OAuth 2, OIDC, JWT and Bearer Tokens
    ▸Secure EVERY endpoint

    (yes, that’s expensive, there’s nothing like a „session“)
    ▸Don’t build your own AuthN/AuthZ Solution!!!
    ▸Use API-Keys, but don’t rely on them
    ▸Use Access Control Lists (ACLs)
    SERVERLESS SECURITY

    View Slide

  34. IDENTITY & ACCESS CONTROL (AUTH-N & AUTH-Z)
    ▸Every developer should have separate keys
    ▸Have separate keys for separate projects/products/
    components
    ▸Rotate keys on a regular basis
    ▸Follow the Principle of Least Privilege
    ▸Separate development and production environments
    ▸Store sensitive information in a vault
    SERVERLESS SECURITY

    View Slide

  35. SERVERLESS SECURITY
    DATA
    PROTECTION

    View Slide

  36. FIRST RULE OF THUMB
    WHEN GOING INTO (PUBLIC) CLOUD
    Werner Vogels, CTO Amazon, re:Invent 2017

    https://www.youtube.com/watch?v=nFKVzEAm-ts

    View Slide

  37. SERVERLESS SECURITY
    YOU HAVE A RESPONSIBILITY
    TO KEEP YOUR USER’S DATA
    SAFE AND SECURE!

    (THINK OF GDPR)

    View Slide

  38. SERVERLESS SECURITY
    FAAS FORCES
    STATELESSNESS

    INCLUDING BAD STATE!

    View Slide

  39. SERVERLESS SECURITY
    FAAS MEANS MORE
    DATA OUTSIDE THE
    SERVERS!STATE MUST BE PERSISTED ELSEWHERE!

    View Slide

  40. DATA PROTECTION & ENCRYPTION IN TRANSIT
    ▸Communication between Systems & Networks
    ▸Traffic between User/Browser and API-Gateway
    ▸Alerts
    ▸Events
    SERVERLESS SECURITY

    View Slide

  41. DATA PROTECTION & ENCRYPTION AT REST
    ▸RDBMS
    ▸DynamoDB / NoSQL
    ▸Usernames & Passwords
    ▸Keys & Secrets
    ▸Logs
    SERVERLESS SECURITY

    View Slide

  42. SERVERLESS SECURITY
    CLOUD PROVIDERS MAKE IT
    EASY TO USE ENCRYPTION
    USE PROVIDED KEYS OR
    CREATE/UPLOAD YOUR OWN

    View Slide

  43. SERVERLESS SECURITY
    NET

    WORK

    View Slide

  44. DISTRIBUTED DENIAL OF SERVICE ATTACKS
    ▸Serverless services scale automatically and indefinitely.

    Does your credit card do so?
    ▸Rate limit your…
    ▸ API
    ▸ Datasource calls
    ▸ …
    ▸AWS does some basic auto-protection already for you!
    SERVERLESS SECURITY

    View Slide

  45. VIRTUAL PRIVATE CLOUD (VPC)
    ▸Serverless Lambda functions run in a default VPC with
    Internet-Access, but no other VPC Access
    ▸To connect to resources in own VPCs, Lambda must get access
    to this VPC!
    ▸VPC requires Elastic Network Interfaces (ENIs)
    ▸ENIs add some seconds(!!) to your cold starts!
    ▸Does this VPC has an Internet Gateway to access other APIs?
    SERVERLESS SECURITY

    View Slide

  46. AWS WELL-ARCHITECTED SECURITY BEST PRACTICES
    ▸Implement a strong identity foundation
    ▸Enable traceability
    ▸Apply security at all layers
    ▸Automate security best practices
    ▸Protect data in transit and rest
    ▸Prepare for security events
    SERVERLESS SECURITY

    View Slide

  47. SERVERLESS WEB APPLICATION SECURITY
    SERVERLESS SECURITY

    View Slide

  48. SERVERLESS WEB APPLICATION SECURITY
    SERVERLESS SECURITY

    View Slide

  49. SERVERLESS WEB APPLICATION MONITORING
    SERVERLESS SECURITY

    View Slide

  50. SERVERLESS WEB APPLICATION MONITORING
    SERVERLESS SECURITY

    View Slide

  51. AWS RESOURCES
    ▸ AWS Whitepapers

    https://aws.amazon.com/whitepapers/
    ▸ AWS Well-Architected

    https://aws.amazon.com/architecture/well-architected/
    ▸ AWS Well-Architected Framework (June 2018)

    https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf
    ▸ AWS Security Pillar (July 2018)

    https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
    ▸ AWS Security Best Practices (August 2016)

    https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
    ▸ Get Startet with Well-Architected Security Best Practices (On-Demand Course, July 2018)

    https://pages.awscloud.com/Get-Started-with-Well-Architected-Security-Best-Practices_0714-SID_OD.html
    SERVERLESS SECURITY

    View Slide

  52. BETTER SAFE

    THAN SORRY!

    View Slide

  53. NO OPS COST !=

    NO COST OF OWNERSHIP

    View Slide

  54. SECURITY IS
    EVERYONE’S JOB

    View Slide

  55. THANK YOU.
    ANY QUESTIONS?
    Slides: http://bit.ly/sls-security
    Niko Köbler | www.n-k.de | [email protected] | @dasniko
    SERVERLESS SECURITY

    View Slide