Slide 1

Slide 1 text

SERVERLESS SECURITY SICHER OHNE SERVER !? NIKO KÖBLER (@DASNIKO)

Slide 2

Slide 2 text

ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“
 serverlessbuch.de ▸ Twitter: @dasniko SERVERLESS SECURITY

Slide 3

Slide 3 text

NO SERVER NO CRY!? EPIC SONGS OF WORLD HISTORY:

Slide 4

Slide 4 text

CLOUD FOCUS ON CREATING BUSINESS VALUE NOT ON MANAGING INFRASTRUCTURE

Slide 5

Slide 5 text

SERVERLESS FOCUS ON CREATING BUSINESS VALUE NOT ON MANAGING INFRASTRUCTURE

Slide 6

Slide 6 text

THE GOOD NEWS FIRST: SERVERLESS DOESN’T CREATE NEW SECURITY FLAWS!

Slide 7

Slide 7 text

OK, WE ARE DONE! ¯\_(ツ)_/¯ (RIGHT?)

Slide 8

Slide 8 text

SERVERLESS SECURITY PATCHING OPERATING SYSTEM

Slide 9

Slide 9 text

PATCHING https://twitter.com/samnewman/status/952610105169793025

Slide 10

Slide 10 text

YOUR FUNCTION RUNNING IN A JVM PACKED INTO DOCKER DEPLOYED TO KUBERNETES ON TOP OF DC/OS MANAGED BY MESOS INSTALLED ON V I R T U A L M A C H I N E S C O N T R O L L E D B Y A HYPERVISOR RUNNING ON BARE METAL. Photo by Michael Johansson (http://www.michaeljohansson.com) …and I’m sure, I forgot a few layers!

Slide 11

Slide 11 text

PATCHING https://twitter.com/samnewman/status/952610105169793025 https://twitter.com/ajaynairthinks/status/949107242703319040

Slide 12

Slide 12 text

https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

Slide 13

Slide 13 text

https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

Slide 14

Slide 14 text

https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

Slide 15

Slide 15 text

https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

Slide 16

Slide 16 text

SERVERLESS SECURITY

Slide 17

Slide 17 text

FAAS ON CONTAINERS… ▸OpenFaaS ▸Fn Project ▸OpenWhisk ▸Knative SERVERLESS SECURITY ▸Fission ▸Kubeless ▸…and probably many, many more!

Slide 18

Slide 18 text

OPERATIONAL OVERHEAD, E.G. FN PROJECT from: https://github.com/fnproject/fn/blob/master/docs/operating/production.md SERVERLESS SECURITY

Slide 19

Slide 19 text

CONTAINERS OFFER GREAT POWER, BUT THEY ALSO DEMAND OPERATIONAL RESPONSIBILITY! Daniel Bryant SERVERLESS SECURITY

Slide 20

Slide 20 text

SERVERLESS SECURITY SERVERLESS
 IS A STEP IN THE
 RIGHT DIRECTION OF PATCHING AND MANAGING UNDERLYING INFRASTRUCTURE

Slide 21

Slide 21 text

SERVERLESS SECURITY APPLICATION CODE

Slide 22

Slide 22 text

APPLICATION SECURITY ▸Write GOOD Code ▸ and DELETE old and unused code and functions! ▸Do Quality Assurance, Reviews, Static Analysis, etc. ▸Avoid side-effects (aka: write pure functions) ▸ Don’t make a function as broad as possible,
 make it do exactly 1 thing! ▸ But: more functions - more problems! SERVERLESS SECURITY

Slide 23

Slide 23 text

APPLICATION SECURITY ▸OWASP Top10 is more important than ever! ▸ SQL Injection ▸ Cross Site Scripting ▸ Remote Command Execution ▸ Cross Site Request Forgery ▸ Bad auth logic ▸ etc. SERVERLESS SECURITY

Slide 24

Slide 24 text

APPLICATION SECURITY ▸Writing less code doesn’t produce less errors! ▸ For majority of functions, „code“ is dependencies! ▸ 3rd party code can hold vulnerabilities just like 1st party code ▸ Most of the people who write libraries/packages aren’t very good at security! SERVERLESS SECURITY

Slide 25

Slide 25 text

EXAMPLE: LINES OF CODE AND DEPENDENCIES SERVERLESS SECURITY 19 Lines of Code 2 direct dependencies 19 dependencies
 (incl. indirect) 191.155 Lines of Code Source: https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3

Slide 26

Slide 26 text

BEWARE OF THIRD-PARTY PACKAGES ▸a.k.a. „Dependency Vulnerabilities“ ▸Unclear transitive dependencies ▸More code = more vulnerabilities ▸On time, dependencies grow stale & vulnerable ▸It’s easy to scan GitHub for serverless projects with compromised/affected dependencies and run attacks against them SERVERLESS SECURITY

Slide 27

Slide 27 text

THREAT MODELING ▸Do proper Threat Modeling
 Data Input, Parsing, Validation, Patterns, Flows, Transformations, etc. ▸„Legacy“ (Traditional) Security Solutions won’t fit for serverless applications, as they are deployed to the infrastructure (which you no longer control) SERVERLESS SECURITY

Slide 28

Slide 28 text

PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY) ▸Every module must be able to access only the information and resources that are necessary for its legitimate purpose. (https://en.wikipedia.org/wiki/Principle_of_least_privilege) ▸IAM Roles/Policies: ▸ Make sure you only assign permissions that your functions really MUST have! ▸ Who is allowed to invoke / access a function? SERVERLESS SECURITY

Slide 29

Slide 29 text

PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY) ▸Secure every function independently! ▸No things like:
 Action:
 - sns:*
 Resource: * SERVERLESS SECURITY

Slide 30

Slide 30 text

PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY) SERVERLESS SECURITY From: Serverless Security: What’s Left To Protect - Guy Podjarny (snyk.io): https://www.youtube.com/watch?v=CiyUD_rI8D8

Slide 31

Slide 31 text

SERVERLESS SECURITY FUNCTIONS & PERMISSIONS: THEY ARE EASY TO ADD BUT HARD TO REMOVE!

Slide 32

Slide 32 text

LOGGING & MONITORING ▸You’ll need logs, b/c your system is more distributed than ever ▸ Logins (successful/failed) ▸ Account modifications ▸ Database interactions ▸ Financial transactions ▸Write GOOD (meaningful) logs and DO something with the information (it’s not just „data“) ▸Capture USEFUL error messages, not just
 500: an unexpected extraordinary error occured SERVERLESS SECURITY

Slide 33

Slide 33 text

IDENTITY & ACCESS CONTROL (AUTH-N & AUTH-Z) ▸Access should be a Privilege, not a Right! ▸Learn OAuth 2, OIDC, JWT and Bearer Tokens ▸Secure EVERY endpoint
 (yes, that’s expensive, there’s nothing like a „session“) ▸Don’t build your own AuthN/AuthZ Solution!!! ▸Use API-Keys, but don’t rely on them ▸Use Access Control Lists (ACLs) SERVERLESS SECURITY

Slide 34

Slide 34 text

IDENTITY & ACCESS CONTROL (AUTH-N & AUTH-Z) ▸Every developer should have separate keys ▸Have separate keys for separate projects/products/ components ▸Rotate keys on a regular basis ▸Follow the Principle of Least Privilege ▸Separate development and production environments ▸Store sensitive information in a vault SERVERLESS SECURITY

Slide 35

Slide 35 text

SERVERLESS SECURITY DATA PROTECTION

Slide 36

Slide 36 text

FIRST RULE OF THUMB WHEN GOING INTO (PUBLIC) CLOUD Werner Vogels, CTO Amazon, re:Invent 2017
 https://www.youtube.com/watch?v=nFKVzEAm-ts

Slide 37

Slide 37 text

SERVERLESS SECURITY YOU HAVE A RESPONSIBILITY TO KEEP YOUR USER’S DATA SAFE AND SECURE!
 (THINK OF GDPR)

Slide 38

Slide 38 text

SERVERLESS SECURITY FAAS FORCES STATELESSNESS
 INCLUDING BAD STATE!

Slide 39

Slide 39 text

SERVERLESS SECURITY FAAS MEANS MORE DATA OUTSIDE THE SERVERS!STATE MUST BE PERSISTED ELSEWHERE!

Slide 40

Slide 40 text

DATA PROTECTION & ENCRYPTION IN TRANSIT ▸Communication between Systems & Networks ▸Traffic between User/Browser and API-Gateway ▸Alerts ▸Events SERVERLESS SECURITY

Slide 41

Slide 41 text

DATA PROTECTION & ENCRYPTION AT REST ▸RDBMS ▸DynamoDB / NoSQL ▸Usernames & Passwords ▸Keys & Secrets ▸Logs SERVERLESS SECURITY

Slide 42

Slide 42 text

SERVERLESS SECURITY CLOUD PROVIDERS MAKE IT EASY TO USE ENCRYPTION USE PROVIDED KEYS OR CREATE/UPLOAD YOUR OWN

Slide 43

Slide 43 text

SERVERLESS SECURITY NET
 WORK

Slide 44

Slide 44 text

DISTRIBUTED DENIAL OF SERVICE ATTACKS ▸Serverless services scale automatically and indefinitely.
 Does your credit card do so? ▸Rate limit your… ▸ API ▸ Datasource calls ▸ … ▸AWS does some basic auto-protection already for you! SERVERLESS SECURITY

Slide 45

Slide 45 text

VIRTUAL PRIVATE CLOUD (VPC) ▸Serverless Lambda functions run in a default VPC with Internet-Access, but no other VPC Access ▸To connect to resources in own VPCs, Lambda must get access to this VPC! ▸VPC requires Elastic Network Interfaces (ENIs) ▸ENIs add some seconds(!!) to your cold starts! ▸Does this VPC has an Internet Gateway to access other APIs? SERVERLESS SECURITY

Slide 46

Slide 46 text

AWS WELL-ARCHITECTED SECURITY BEST PRACTICES ▸Implement a strong identity foundation ▸Enable traceability ▸Apply security at all layers ▸Automate security best practices ▸Protect data in transit and rest ▸Prepare for security events SERVERLESS SECURITY

Slide 47

Slide 47 text

SERVERLESS WEB APPLICATION SECURITY SERVERLESS SECURITY

Slide 48

Slide 48 text

SERVERLESS WEB APPLICATION SECURITY SERVERLESS SECURITY

Slide 49

Slide 49 text

SERVERLESS WEB APPLICATION MONITORING SERVERLESS SECURITY

Slide 50

Slide 50 text

SERVERLESS WEB APPLICATION MONITORING SERVERLESS SECURITY

Slide 51

Slide 51 text

AWS RESOURCES ▸ AWS Whitepapers
 https://aws.amazon.com/whitepapers/ ▸ AWS Well-Architected
 https://aws.amazon.com/architecture/well-architected/ ▸ AWS Well-Architected Framework (June 2018)
 https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf ▸ AWS Security Pillar (July 2018)
 https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf ▸ AWS Security Best Practices (August 2016)
 https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf ▸ Get Startet with Well-Architected Security Best Practices (On-Demand Course, July 2018)
 https://pages.awscloud.com/Get-Started-with-Well-Architected-Security-Best-Practices_0714-SID_OD.html SERVERLESS SECURITY

Slide 52

Slide 52 text

BETTER SAFE
 THAN SORRY!

Slide 53

Slide 53 text

NO OPS COST !=
 NO COST OF OWNERSHIP

Slide 54

Slide 54 text

SECURITY IS EVERYONE’S JOB

Slide 55

Slide 55 text

THANK YOU. ANY QUESTIONS? Slides: http://bit.ly/sls-security Niko Köbler | www.n-k.de | [email protected] | @dasniko SERVERLESS SECURITY