Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Serverless Security

395d9a1bac6f64d04bbd713d5b6bc433?s=47 Niko Köbler
September 06, 2018

Serverless Security

395d9a1bac6f64d04bbd713d5b6bc433?s=128

Niko Köbler

September 06, 2018
Tweet

Transcript

  1. SERVERLESS SECURITY SICHER OHNE SERVER !? NIKO KÖBLER (@DASNIKO)

  2. ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff

    with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“
 serverlessbuch.de ▸ Twitter: @dasniko SERVERLESS SECURITY
  3. NO SERVER NO CRY!? EPIC SONGS OF WORLD HISTORY:

  4. CLOUD FOCUS ON CREATING BUSINESS VALUE NOT ON MANAGING INFRASTRUCTURE

  5. SERVERLESS FOCUS ON CREATING BUSINESS VALUE NOT ON MANAGING INFRASTRUCTURE

  6. THE GOOD NEWS FIRST: SERVERLESS DOESN’T CREATE NEW SECURITY FLAWS!

  7. OK, WE ARE DONE! ¯\_(ツ)_/¯ (RIGHT?)

  8. SERVERLESS SECURITY PATCHING OPERATING SYSTEM

  9. PATCHING https://twitter.com/samnewman/status/952610105169793025

  10. YOUR FUNCTION RUNNING IN A JVM PACKED INTO DOCKER DEPLOYED

    TO KUBERNETES ON TOP OF DC/OS MANAGED BY MESOS INSTALLED ON V I R T U A L M A C H I N E S C O N T R O L L E D B Y A HYPERVISOR RUNNING ON BARE METAL. Photo by Michael Johansson (http://www.michaeljohansson.com) …and I’m sure, I forgot a few layers!
  11. PATCHING https://twitter.com/samnewman/status/952610105169793025 https://twitter.com/ajaynairthinks/status/949107242703319040

  12. https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

  13. https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

  14. https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

  15. https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

  16. SERVERLESS SECURITY

  17. FAAS ON CONTAINERS… ▸OpenFaaS ▸Fn Project ▸OpenWhisk ▸Knative SERVERLESS SECURITY

    ▸Fission ▸Kubeless ▸…and probably many, many more!
  18. OPERATIONAL OVERHEAD, E.G. FN PROJECT from: https://github.com/fnproject/fn/blob/master/docs/operating/production.md SERVERLESS SECURITY

  19. CONTAINERS OFFER GREAT POWER, BUT THEY ALSO DEMAND OPERATIONAL RESPONSIBILITY!

    Daniel Bryant SERVERLESS SECURITY
  20. SERVERLESS SECURITY SERVERLESS
 IS A STEP IN THE
 RIGHT DIRECTION

    OF PATCHING AND MANAGING UNDERLYING INFRASTRUCTURE
  21. SERVERLESS SECURITY APPLICATION CODE

  22. APPLICATION SECURITY ▸Write GOOD Code ▸ and DELETE old and

    unused code and functions! ▸Do Quality Assurance, Reviews, Static Analysis, etc. ▸Avoid side-effects (aka: write pure functions) ▸ Don’t make a function as broad as possible,
 make it do exactly 1 thing! ▸ But: more functions - more problems! SERVERLESS SECURITY
  23. APPLICATION SECURITY ▸OWASP Top10 is more important than ever! ▸

    SQL Injection ▸ Cross Site Scripting ▸ Remote Command Execution ▸ Cross Site Request Forgery ▸ Bad auth logic ▸ etc. SERVERLESS SECURITY
  24. APPLICATION SECURITY ▸Writing less code doesn’t produce less errors! ▸

    For majority of functions, „code“ is dependencies! ▸ 3rd party code can hold vulnerabilities just like 1st party code ▸ Most of the people who write libraries/packages aren’t very good at security! SERVERLESS SECURITY
  25. EXAMPLE: LINES OF CODE AND DEPENDENCIES SERVERLESS SECURITY 19 Lines

    of Code 2 direct dependencies 19 dependencies
 (incl. indirect) 191.155 Lines of Code Source: https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3
  26. BEWARE OF THIRD-PARTY PACKAGES ▸a.k.a. „Dependency Vulnerabilities“ ▸Unclear transitive dependencies

    ▸More code = more vulnerabilities ▸On time, dependencies grow stale & vulnerable ▸It’s easy to scan GitHub for serverless projects with compromised/affected dependencies and run attacks against them SERVERLESS SECURITY
  27. THREAT MODELING ▸Do proper Threat Modeling
 Data Input, Parsing, Validation,

    Patterns, Flows, Transformations, etc. ▸„Legacy“ (Traditional) Security Solutions won’t fit for serverless applications, as they are deployed to the infrastructure (which you no longer control) SERVERLESS SECURITY
  28. PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY) ▸Every module must be able

    to access only the information and resources that are necessary for its legitimate purpose. (https://en.wikipedia.org/wiki/Principle_of_least_privilege) ▸IAM Roles/Policies: ▸ Make sure you only assign permissions that your functions really MUST have! ▸ Who is allowed to invoke / access a function? SERVERLESS SECURITY
  29. PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY) ▸Secure every function independently! ▸No

    things like:
 Action:
 - sns:*
 Resource: * SERVERLESS SECURITY
  30. PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY) SERVERLESS SECURITY From: Serverless Security:

    What’s Left To Protect - Guy Podjarny (snyk.io): https://www.youtube.com/watch?v=CiyUD_rI8D8
  31. SERVERLESS SECURITY FUNCTIONS & PERMISSIONS: THEY ARE EASY TO ADD

    BUT HARD TO REMOVE!
  32. LOGGING & MONITORING ▸You’ll need logs, b/c your system is

    more distributed than ever ▸ Logins (successful/failed) ▸ Account modifications ▸ Database interactions ▸ Financial transactions ▸Write GOOD (meaningful) logs and DO something with the information (it’s not just „data“) ▸Capture USEFUL error messages, not just
 500: an unexpected extraordinary error occured SERVERLESS SECURITY
  33. IDENTITY & ACCESS CONTROL (AUTH-N & AUTH-Z) ▸Access should be

    a Privilege, not a Right! ▸Learn OAuth 2, OIDC, JWT and Bearer Tokens ▸Secure EVERY endpoint
 (yes, that’s expensive, there’s nothing like a „session“) ▸Don’t build your own AuthN/AuthZ Solution!!! ▸Use API-Keys, but don’t rely on them ▸Use Access Control Lists (ACLs) SERVERLESS SECURITY
  34. IDENTITY & ACCESS CONTROL (AUTH-N & AUTH-Z) ▸Every developer should

    have separate keys ▸Have separate keys for separate projects/products/ components ▸Rotate keys on a regular basis ▸Follow the Principle of Least Privilege ▸Separate development and production environments ▸Store sensitive information in a vault SERVERLESS SECURITY
  35. SERVERLESS SECURITY DATA PROTECTION

  36. FIRST RULE OF THUMB WHEN GOING INTO (PUBLIC) CLOUD Werner

    Vogels, CTO Amazon, re:Invent 2017
 https://www.youtube.com/watch?v=nFKVzEAm-ts
  37. SERVERLESS SECURITY YOU HAVE A RESPONSIBILITY TO KEEP YOUR USER’S

    DATA SAFE AND SECURE!
 (THINK OF GDPR)
  38. SERVERLESS SECURITY FAAS FORCES STATELESSNESS
 INCLUDING BAD STATE!

  39. SERVERLESS SECURITY FAAS MEANS MORE DATA OUTSIDE THE SERVERS!STATE MUST

    BE PERSISTED ELSEWHERE!
  40. DATA PROTECTION & ENCRYPTION IN TRANSIT ▸Communication between Systems &

    Networks ▸Traffic between User/Browser and API-Gateway ▸Alerts ▸Events SERVERLESS SECURITY
  41. DATA PROTECTION & ENCRYPTION AT REST ▸RDBMS ▸DynamoDB / NoSQL

    ▸Usernames & Passwords ▸Keys & Secrets ▸Logs SERVERLESS SECURITY
  42. SERVERLESS SECURITY CLOUD PROVIDERS MAKE IT EASY TO USE ENCRYPTION

    USE PROVIDED KEYS OR CREATE/UPLOAD YOUR OWN
  43. SERVERLESS SECURITY NET
 WORK

  44. DISTRIBUTED DENIAL OF SERVICE ATTACKS ▸Serverless services scale automatically and

    indefinitely.
 Does your credit card do so? ▸Rate limit your… ▸ API ▸ Datasource calls ▸ … ▸AWS does some basic auto-protection already for you! SERVERLESS SECURITY
  45. VIRTUAL PRIVATE CLOUD (VPC) ▸Serverless Lambda functions run in a

    default VPC with Internet-Access, but no other VPC Access ▸To connect to resources in own VPCs, Lambda must get access to this VPC! ▸VPC requires Elastic Network Interfaces (ENIs) ▸ENIs add some seconds(!!) to your cold starts! ▸Does this VPC has an Internet Gateway to access other APIs? SERVERLESS SECURITY
  46. AWS WELL-ARCHITECTED SECURITY BEST PRACTICES ▸Implement a strong identity foundation

    ▸Enable traceability ▸Apply security at all layers ▸Automate security best practices ▸Protect data in transit and rest ▸Prepare for security events SERVERLESS SECURITY
  47. SERVERLESS WEB APPLICATION SECURITY SERVERLESS SECURITY

  48. SERVERLESS WEB APPLICATION SECURITY SERVERLESS SECURITY

  49. SERVERLESS WEB APPLICATION MONITORING SERVERLESS SECURITY

  50. SERVERLESS WEB APPLICATION MONITORING SERVERLESS SECURITY

  51. AWS RESOURCES ▸ AWS Whitepapers
 https://aws.amazon.com/whitepapers/ ▸ AWS Well-Architected
 https://aws.amazon.com/architecture/well-architected/

    ▸ AWS Well-Architected Framework (June 2018)
 https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf ▸ AWS Security Pillar (July 2018)
 https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf ▸ AWS Security Best Practices (August 2016)
 https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf ▸ Get Startet with Well-Architected Security Best Practices (On-Demand Course, July 2018)
 https://pages.awscloud.com/Get-Started-with-Well-Architected-Security-Best-Practices_0714-SID_OD.html SERVERLESS SECURITY
  52. BETTER SAFE
 THAN SORRY!

  53. NO OPS COST !=
 NO COST OF OWNERSHIP

  54. SECURITY IS EVERYONE’S JOB

  55. THANK YOU. ANY QUESTIONS? Slides: http://bit.ly/sls-security Niko Köbler | www.n-k.de

    | niko@n-k.de | @dasniko SERVERLESS SECURITY