Serverless and the Way Forward

November 15, 2016

Serverless and the Way ForwardJames Wickett // @wickett

November 15, 2016@WICKETT

JAMES WICKETT

๏ Head of Research at Signal Sciences

๏ Author at Lynda/LinkedIn Training for DevOps Fundamentals course releasing in the next week!

๏ Blogger at theagileadmin.com and labs.signalsciences.com

http://theagileadmin.com

http://labs.signalsciences.com


DEVOPS ROADMAP FOR SECURITY

http://info.signalsciences.com/book



๏ Web App Firewall for modern workloads

๏ Cloud-native and devops friendly

๏ Answer the questions: Am I being attacked right now? Are attackers becoming successful?

๏ We are hiring (Golang, appsec, devops)

@WICKETT




CONCLUSION

๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.

๏ New serverless patterns are just emerging

๏ Security with serverless is easier

๏ Security with serverless is harder


CONCLUSION (2)

๏ Four key areas apply to serverless security

๏ Software Supply Chain Security

๏ Delivery Pipeline Security

๏ Data Flow Security

๏ Attack Detection


WHAT IS SERVERLESS?


MISCONCEPTIONS


IT’S MARKETING (CLOUD REBRANDED)


SERVERLESS == NO SERVERS


SERVERLESS == CLOUD


SERVERLESS == BACKEND AS A

SERVICE


SERVERLESS == PLATFORM AS A

SERVICE



SO, WHAT IS SERVERLESS?


http://martinfowler.com/articles/serverless.html



@MIKEBROBERTS


Serverless was first used to describe applications that significantly or fully

depend on 3rd party applications / services (‘in

the cloud’) to manage server-side logic and

state. http://martinfowler.com/articles/serverless.html



Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is

run in stateless compute containers that are event-

triggered, ephemeral (may only last for one invocation), and fully

managed by a 3rd party. http://martinfowler.com/articles/serverless.html



HISTORY OF SERVERLESS๏ 2012 - used to describe BaaS and Continuous Integration

services run by third parties

๏ Late 2014 - AWS launched Lambda

๏ July 2015 - AWS launched API Gateway

๏ October 2015 - AWS re:Invent - The Serverless company using AWS Lambda

๏ 2015 to present - Frameworks forming

๏ 2016 - Serverless Conference

http://www.slideshare.net/AmazonWebServices/arc308-the-serverless-company-using-aws-lambda

http://www.slideshare.net/AmazonWebServices/arc308-the-serverless-company-using-aws-lambda


Client

Server

Database

Proxy/LB

ServerServer


Client

Auth Service API Gateway

Database Service

Function A

Function B

Web Delivery



WHAT CAN WE SAY IS SERVERLESS?


SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)


BUT, BUT…CONTAINERS!


CONTAINERS … ON DEMAND


SERVERLESS IS (NO MANAGEMENT OF)

SERVERS


SERVERLESS IS SERVICEFULL


SERVERLESS IS AN OPINIONATED FRAMEWORK

FOR COMPUTE


Serverless encourages functions as deploy units, coupled with third party

services that allow running end-to-end applications without worrying about

system operation.


A SHORT HISTORY OF CLOUD


VIRTUALIZATION


“THE CLOUD”


DEVOPS


SaaS PaaS IaaS


PRIVATE CLOUD


THEN, ALONG CAME CONTAINERS


CONTAINERS ARE TEH HAWTNESS


\


LOTS OF EFFORT IN CONTAINER

ORCHESTRATION


THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL

BE TO CONTAINERS


IF YOU WANT TO LEAD YOUR COMPANY BRAVELY INTO THE NEW WORLD, YOU WOULD DO WELL TO FOCUS LOT ON HOW

SERVERLESS WILL EVOLVE. - @CLOUDOPINION

https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d

https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d


Serverless encourages functions as deploy units, coupled with third party

services that allow running end-to-end applications without worrying about

system operation.


SO, WHAT ARE THE UPSIDES?


SCALING BUILT IN


PAY FOR WHAT YOU USE IN 100MS INCREMENTS


WITH SERVERLESS SYSTEM ADMINISTRATION

IS (MOSTLY) LOWER


SERVERLESS IS IMPLICIT

MICROSERVICES


SHORT CIRCUITS OPS AND MOVES

INFRASTRUCTURE RUNTIME CLOSER TO

DEVS


YOU CAN SKIP CHEFFING DOCKERING

ALL THE THINGS!


LEAN STARTUP FRIENDLY


INCREASED VELOCITY


GREAT, WHAT’S THE CATCH?


OPS BURDEN TO RATIONALIZE

SERVERLESS MODEL (SPECIFICALLY DEPLOY)


MONITORING


LOGGING


STATELESS FOR REAL NO MEMORY PERSISTENCE

ACROSS FUNCTION RUNS


VENDOR LOCK-IN


SECURITY


RELIABILITY



SERVERLESS USE CASES


IMAGE RESIZING


QUEUE PROCESSING



RUN A WEB APPLICATION


API GATEWAY



CI/CD


LICENSING


SECURITY IS THE SAME AND DIFFERENT


EVERYTHING IS HTTP(S)


WHAT USED TO BE SYSTEM CALLS IS

NOW DISTRIBUTED COMPUTING OVER

THE NETWORK


SERVERLESS SHIFTS ATTACK SURFACE TO

THIRD PARTIES


LETS TRY A SAMPLE APPLICATION IN AWS


๏ Golang!

๏ AWS Lambda supports bring your own binary

๏ Sparta wraps your binary with node.js shim



OTHER OPTIONS

๏ Serverless Framework

๏ APEX

๏ Kappa


WORDY๏ Analyzes textual

occurrences given a block of text, returns JSON count of words

๏ Calls API under the hood to get text

๏ It is comprised of Lambda, s3, API Gateway





go run main.go provision -s S3_BUCKET











WHAT I LEARNED ABOUT SERVERLESS

SECURITY



FOUR AREAS OF SERVERLESS SECURITY

๏ Secure Software Supply Chain

๏ Delivery Pipeline





SURFACE AREA REDUCTION!


SURFACE AREA EXPANSION!


SSL / TLS FROM THE PROVIDER


DNS!


LAMBDA + S3 + KINESIS + DYNAMODB + CLOUDFORMATION + API GATEWAY + AUTH0


USE A THIRD-PARTY SERVICE FOR CONFIG

CHANGES


ACCESS CONTROL


DELIVERY PIPELINE SECURITY



UNIT TESTING



INTEGRATION TESTING


CONFIGURATION IS PART OF DELIVERY


PROVIDER SECURITY

๏ Disable root access keys

๏ Manage users with profiles

๏ Secure your keys in your deploy system

๏ Secure keys in dev system

๏ Use provider MFA


SIMPLE DEPLOY PIPELINE SECURITY

๏ Only dev keys can push to ‘dev’

๏ Only build/deploy system can push to pre-prod

๏ Integration tests must pass in this env

๏ Security validation must take place

๏ Allow push to prod, only by deploy system


SECURITY INTEGRATION TESTING

๏ BDD-Security - github.com/continuumsecurity/bdd-security

๏ Gauntlt - gauntlt.org


http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015


DATA FLOW SECURITY

๏ Development

๏ Data Flow Diagrams

๏ Threat modeling

๏ Runtime


Application layer DoS


TIMEOUTS AND EXECUTION

RESTRICTIONS


HTTP / HTTPS


ATTACK DETECTION


DEVELOPMENT

๏ Normal OWASP tooling

๏ Language filtering and more


APPSEC PROBLEMS


DEFENSE

๏ Logging, emitting events

๏ Vandium (SQLi) wrapper

๏ Content Security Policy (CSP)

๏ More work needs to be done here…


CONCLUSION

๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.

๏ New serverless patterns are just emerging

๏ Security with serverless is easier

๏ Security with serverless is harder


CONCLUSION (2)

๏ Four key areas apply to serverless security

๏ Software Supply Chain Security

๏ Delivery Pipeline Security





LET’S TALK!

๏ [email protected]

๏ @wickett

๏ http://info.signalsciences.com/book

mailto:[email protected]


November 15, 2016

November 15, 2016