Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Serverless Security

Niko Köbler
September 06, 2018

Serverless Security

Niko Köbler

September 06, 2018
Tweet

More Decks by Niko Köbler

Other Decks in Technology

Transcript

  1. ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff

    with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“
 serverlessbuch.de ▸ Twitter: @dasniko SERVERLESS SECURITY
  2. YOUR FUNCTION RUNNING IN A JVM PACKED INTO DOCKER DEPLOYED

    TO KUBERNETES ON TOP OF DC/OS MANAGED BY MESOS INSTALLED ON V I R T U A L M A C H I N E S C O N T R O L L E D B Y A HYPERVISOR RUNNING ON BARE METAL. Photo by Michael Johansson (http://www.michaeljohansson.com) …and I’m sure, I forgot a few layers!
  3. FAAS ON CONTAINERS… ▸OpenFaaS ▸Fn Project ▸OpenWhisk ▸Knative SERVERLESS SECURITY

    ▸Fission ▸Kubeless ▸…and probably many, many more!
  4. SERVERLESS SECURITY SERVERLESS
 IS A STEP IN THE
 RIGHT DIRECTION

    OF PATCHING AND MANAGING UNDERLYING INFRASTRUCTURE
  5. APPLICATION SECURITY ▸Write GOOD Code ▸ and DELETE old and

    unused code and functions! ▸Do Quality Assurance, Reviews, Static Analysis, etc. ▸Avoid side-effects (aka: write pure functions) ▸ Don’t make a function as broad as possible,
 make it do exactly 1 thing! ▸ But: more functions - more problems! SERVERLESS SECURITY
  6. APPLICATION SECURITY ▸OWASP Top10 is more important than ever! ▸

    SQL Injection ▸ Cross Site Scripting ▸ Remote Command Execution ▸ Cross Site Request Forgery ▸ Bad auth logic ▸ etc. SERVERLESS SECURITY
  7. APPLICATION SECURITY ▸Writing less code doesn’t produce less errors! ▸

    For majority of functions, „code“ is dependencies! ▸ 3rd party code can hold vulnerabilities just like 1st party code ▸ Most of the people who write libraries/packages aren’t very good at security! SERVERLESS SECURITY
  8. EXAMPLE: LINES OF CODE AND DEPENDENCIES SERVERLESS SECURITY 19 Lines

    of Code 2 direct dependencies 19 dependencies
 (incl. indirect) 191.155 Lines of Code Source: https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3
  9. BEWARE OF THIRD-PARTY PACKAGES ▸a.k.a. „Dependency Vulnerabilities“ ▸Unclear transitive dependencies

    ▸More code = more vulnerabilities ▸On time, dependencies grow stale & vulnerable ▸It’s easy to scan GitHub for serverless projects with compromised/affected dependencies and run attacks against them SERVERLESS SECURITY
  10. THREAT MODELING ▸Do proper Threat Modeling
 Data Input, Parsing, Validation,

    Patterns, Flows, Transformations, etc. ▸„Legacy“ (Traditional) Security Solutions won’t fit for serverless applications, as they are deployed to the infrastructure (which you no longer control) SERVERLESS SECURITY
  11. PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY) ▸Every module must be able

    to access only the information and resources that are necessary for its legitimate purpose. (https://en.wikipedia.org/wiki/Principle_of_least_privilege) ▸IAM Roles/Policies: ▸ Make sure you only assign permissions that your functions really MUST have! ▸ Who is allowed to invoke / access a function? SERVERLESS SECURITY
  12. PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY) ▸Secure every function independently! ▸No

    things like:
 Action:
 - sns:*
 Resource: * SERVERLESS SECURITY
  13. PRINCIPLE OF LEAST PRIVILEGE (AUTHORITY) SERVERLESS SECURITY From: Serverless Security:

    What’s Left To Protect - Guy Podjarny (snyk.io): https://www.youtube.com/watch?v=CiyUD_rI8D8
  14. LOGGING & MONITORING ▸You’ll need logs, b/c your system is

    more distributed than ever ▸ Logins (successful/failed) ▸ Account modifications ▸ Database interactions ▸ Financial transactions ▸Write GOOD (meaningful) logs and DO something with the information (it’s not just „data“) ▸Capture USEFUL error messages, not just
 500: an unexpected extraordinary error occured SERVERLESS SECURITY
  15. IDENTITY & ACCESS CONTROL (AUTH-N & AUTH-Z) ▸Access should be

    a Privilege, not a Right! ▸Learn OAuth 2, OIDC, JWT and Bearer Tokens ▸Secure EVERY endpoint
 (yes, that’s expensive, there’s nothing like a „session“) ▸Don’t build your own AuthN/AuthZ Solution!!! ▸Use API-Keys, but don’t rely on them ▸Use Access Control Lists (ACLs) SERVERLESS SECURITY
  16. IDENTITY & ACCESS CONTROL (AUTH-N & AUTH-Z) ▸Every developer should

    have separate keys ▸Have separate keys for separate projects/products/ components ▸Rotate keys on a regular basis ▸Follow the Principle of Least Privilege ▸Separate development and production environments ▸Store sensitive information in a vault SERVERLESS SECURITY
  17. FIRST RULE OF THUMB WHEN GOING INTO (PUBLIC) CLOUD Werner

    Vogels, CTO Amazon, re:Invent 2017
 https://www.youtube.com/watch?v=nFKVzEAm-ts
  18. DATA PROTECTION & ENCRYPTION IN TRANSIT ▸Communication between Systems &

    Networks ▸Traffic between User/Browser and API-Gateway ▸Alerts ▸Events SERVERLESS SECURITY
  19. DATA PROTECTION & ENCRYPTION AT REST ▸RDBMS ▸DynamoDB / NoSQL

    ▸Usernames & Passwords ▸Keys & Secrets ▸Logs SERVERLESS SECURITY
  20. SERVERLESS SECURITY CLOUD PROVIDERS MAKE IT EASY TO USE ENCRYPTION

    USE PROVIDED KEYS OR CREATE/UPLOAD YOUR OWN
  21. DISTRIBUTED DENIAL OF SERVICE ATTACKS ▸Serverless services scale automatically and

    indefinitely.
 Does your credit card do so? ▸Rate limit your… ▸ API ▸ Datasource calls ▸ … ▸AWS does some basic auto-protection already for you! SERVERLESS SECURITY
  22. VIRTUAL PRIVATE CLOUD (VPC) ▸Serverless Lambda functions run in a

    default VPC with Internet-Access, but no other VPC Access ▸To connect to resources in own VPCs, Lambda must get access to this VPC! ▸VPC requires Elastic Network Interfaces (ENIs) ▸ENIs add some seconds(!!) to your cold starts! ▸Does this VPC has an Internet Gateway to access other APIs? SERVERLESS SECURITY
  23. AWS WELL-ARCHITECTED SECURITY BEST PRACTICES ▸Implement a strong identity foundation

    ▸Enable traceability ▸Apply security at all layers ▸Automate security best practices ▸Protect data in transit and rest ▸Prepare for security events SERVERLESS SECURITY
  24. AWS RESOURCES ▸ AWS Whitepapers
 https://aws.amazon.com/whitepapers/ ▸ AWS Well-Architected
 https://aws.amazon.com/architecture/well-architected/

    ▸ AWS Well-Architected Framework (June 2018)
 https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf ▸ AWS Security Pillar (July 2018)
 https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf ▸ AWS Security Best Practices (August 2016)
 https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf ▸ Get Startet with Well-Architected Security Best Practices (On-Demand Course, July 2018)
 https://pages.awscloud.com/Get-Started-with-Well-Architected-Security-Best-Practices_0714-SID_OD.html SERVERLESS SECURITY