Upload
sonatype
View
93
Download
3
Embed Size (px)
Citation preview
November 15, 2016
Serverless and the Way ForwardJames Wickett // @wickett
November 15, 2016@WICKETT
JAMES WICKETT
๏ Head of Research at Signal Sciences
๏ Author at Lynda/LinkedIn Training for DevOps Fundamentals course releasing in the next week!
๏ Blogger at theagileadmin.com and labs.signalsciences.com
November 15, 2016@WICKETT
DEVOPS ROADMAP FOR SECURITY
http://info.signalsciences.com/book
November 15, 2016@WICKETT
๏ Web App Firewall for modern workloads
๏ Cloud-native and devops friendly
๏ Answer the questions: Am I being attacked right now? Are attackers becoming successful?
๏ We are hiring (Golang, appsec, devops)
@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
๏ New serverless patterns are just emerging
๏ Security with serverless is easier
๏ Security with serverless is harder
November 15, 2016@WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline Security
๏ Data Flow Security
๏ Attack Detection
November 15, 2016@WICKETT
WHAT IS SERVERLESS?
November 15, 2016@WICKETT
MISCONCEPTIONS
November 15, 2016@WICKETT
IT’S MARKETING (CLOUD REBRANDED)
November 15, 2016@WICKETT
SERVERLESS == NO SERVERS
November 15, 2016@WICKETT
SERVERLESS == CLOUD
November 15, 2016@WICKETT
SERVERLESS == BACKEND AS A
SERVICE
November 15, 2016@WICKETT
SERVERLESS == PLATFORM AS A
SERVICE
November 15, 2016@WICKETT
November 15, 2016@WICKETT
SO, WHAT IS SERVERLESS?
November 15, 2016@WICKETT
http://martinfowler.com/articles/serverless.html
November 15, 2016@WICKETT
@MIKEBROBERTS
November 15, 2016@WICKETT
Serverless was first used to describe applications that significantly or fully
depend on 3rd party applications / services (‘in
the cloud’) to manage server-side logic and
state. http://martinfowler.com/articles/serverless.html
November 15, 2016@WICKETT
Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is
run in stateless compute containers that are event-
triggered, ephemeral (may only last for one invocation), and fully
managed by a 3rd party. http://martinfowler.com/articles/serverless.html
November 15, 2016@WICKETT
HISTORY OF SERVERLESS๏ 2012 - used to describe BaaS and Continuous Integration
services run by third parties
๏ Late 2014 - AWS launched Lambda
๏ July 2015 - AWS launched API Gateway
๏ October 2015 - AWS re:Invent - The Serverless company using AWS Lambda
๏ 2015 to present - Frameworks forming
๏ 2016 - Serverless Conference
http://www.slideshare.net/AmazonWebServices/arc308-the-serverless-company-using-aws-lambda
November 15, 2016@WICKETT
Client
Server
Database
Proxy/LB
ServerServer
November 15, 2016@WICKETT
Client
Auth Service API Gateway
Database Service
Function A
Function B
Web Delivery
November 15, 2016@WICKETT
November 15, 2016@WICKETT
WHAT CAN WE SAY IS SERVERLESS?
November 15, 2016@WICKETT
SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)
November 15, 2016@WICKETT
BUT, BUT…CONTAINERS!
November 15, 2016@WICKETT
CONTAINERS … ON DEMAND
November 15, 2016@WICKETT
SERVERLESS IS (NO MANAGEMENT OF)
SERVERS
November 15, 2016@WICKETT
SERVERLESS IS SERVICEFULL
November 15, 2016@WICKETT
SERVERLESS IS AN OPINIONATED FRAMEWORK
FOR COMPUTE
November 15, 2016@WICKETT
Serverless encourages functions as deploy units, coupled with third party
services that allow running end-to-end applications without worrying about
system operation.
November 15, 2016@WICKETT
A SHORT HISTORY OF CLOUD
November 15, 2016@WICKETT
VIRTUALIZATION
November 15, 2016@WICKETT
“THE CLOUD”
November 15, 2016@WICKETT
DEVOPS
November 15, 2016@WICKETT
SaaS PaaS IaaS
November 15, 2016@WICKETT
PRIVATE CLOUD
November 15, 2016@WICKETT
THEN, ALONG CAME CONTAINERS
November 15, 2016@WICKETT
CONTAINERS ARE TEH HAWTNESS
November 15, 2016@WICKETT
\
November 15, 2016@WICKETT
LOTS OF EFFORT IN CONTAINER
ORCHESTRATION
November 15, 2016@WICKETT
THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL
BE TO CONTAINERS
November 15, 2016@WICKETT
IF YOU WANT TO LEAD YOUR COMPANY BRAVELY INTO THE NEW WORLD, YOU WOULD DO WELL TO FOCUS LOT ON HOW
SERVERLESS WILL EVOLVE. - @CLOUDOPINION
https://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
November 15, 2016@WICKETT
Serverless encourages functions as deploy units, coupled with third party
services that allow running end-to-end applications without worrying about
system operation.
November 15, 2016@WICKETT
SO, WHAT ARE THE UPSIDES?
November 15, 2016@WICKETT
SCALING BUILT IN
November 15, 2016@WICKETT
PAY FOR WHAT YOU USE IN 100MS INCREMENTS
November 15, 2016@WICKETT
WITH SERVERLESS SYSTEM ADMINISTRATION
IS (MOSTLY) LOWER
November 15, 2016@WICKETT
SERVERLESS IS IMPLICIT
MICROSERVICES
November 15, 2016@WICKETT
SHORT CIRCUITS OPS AND MOVES
INFRASTRUCTURE RUNTIME CLOSER TO
DEVS
November 15, 2016@WICKETT
YOU CAN SKIP CHEFFING DOCKERING
ALL THE THINGS!
November 15, 2016@WICKETT
LEAN STARTUP FRIENDLY
November 15, 2016@WICKETT
INCREASED VELOCITY
November 15, 2016@WICKETT
GREAT, WHAT’S THE CATCH?
November 15, 2016@WICKETT
OPS BURDEN TO RATIONALIZE
SERVERLESS MODEL (SPECIFICALLY DEPLOY)
November 15, 2016@WICKETT
MONITORING
November 15, 2016@WICKETT
LOGGING
November 15, 2016@WICKETT
STATELESS FOR REAL NO MEMORY PERSISTENCE
ACROSS FUNCTION RUNS
November 15, 2016@WICKETT
VENDOR LOCK-IN
November 15, 2016@WICKETT
SECURITY
November 15, 2016@WICKETT
RELIABILITY
November 15, 2016@WICKETT
November 15, 2016@WICKETT
SERVERLESS USE CASES
November 15, 2016@WICKETT
IMAGE RESIZING
November 15, 2016@WICKETT
QUEUE PROCESSING
http://martinfowler.com/articles/serverless.html
November 15, 2016@WICKETT
RUN A WEB APPLICATION
November 15, 2016@WICKETT
API GATEWAY
http://martinfowler.com/articles/serverless.html
November 15, 2016@WICKETT
CI/CD
November 15, 2016@WICKETT
LICENSING
November 15, 2016@WICKETT
SECURITY IS THE SAME AND DIFFERENT
November 15, 2016@WICKETT
EVERYTHING IS HTTP(S)
November 15, 2016@WICKETT
WHAT USED TO BE SYSTEM CALLS IS
NOW DISTRIBUTED COMPUTING OVER
THE NETWORK
November 15, 2016@WICKETT
SERVERLESS SHIFTS ATTACK SURFACE TO
THIRD PARTIES
November 15, 2016@WICKETT
LETS TRY A SAMPLE APPLICATION IN AWS
November 15, 2016@WICKETT
๏ Golang!
๏ AWS Lambda supports bring your own binary
๏ Sparta wraps your binary with node.js shim
November 15, 2016@WICKETT
November 15, 2016@WICKETT
OTHER OPTIONS
๏ Serverless Framework
๏ APEX
๏ Kappa
November 15, 2016@WICKETT
WORDY๏ Analyzes textual
occurrences given a block of text, returns JSON count of words
๏ Calls API under the hood to get text
๏ It is comprised of Lambda, s3, API Gateway
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
go run main.go provision -s S3_BUCKET
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
November 15, 2016@WICKETT
WHAT I LEARNED ABOUT SERVERLESS
SECURITY
November 15, 2016@WICKETT
November 15, 2016@WICKETT
FOUR AREAS OF SERVERLESS SECURITY
๏ Secure Software Supply Chain
๏ Delivery Pipeline
๏ Data Flow Security
๏ Attack Detection
November 15, 2016@WICKETT
November 15, 2016@WICKETT
SURFACE AREA REDUCTION!
November 15, 2016@WICKETT
SURFACE AREA EXPANSION!
November 15, 2016@WICKETT
SSL / TLS FROM THE PROVIDER
November 15, 2016@WICKETT
DNS!
November 15, 2016@WICKETT
LAMBDA + S3 + KINESIS + DYNAMODB + CLOUDFORMATION + API GATEWAY + AUTH0
November 15, 2016@WICKETT
USE A THIRD-PARTY SERVICE FOR CONFIG
CHANGES
November 15, 2016@WICKETT
ACCESS CONTROL
November 15, 2016@WICKETT
DELIVERY PIPELINE SECURITY
November 15, 2016@WICKETT
November 15, 2016@WICKETT
UNIT TESTING
November 15, 2016@WICKETT
November 15, 2016@WICKETT
INTEGRATION TESTING
November 15, 2016@WICKETT
CONFIGURATION IS PART OF DELIVERY
November 15, 2016@WICKETT
PROVIDER SECURITY
๏ Disable root access keys
๏ Manage users with profiles
๏ Secure your keys in your deploy system
๏ Secure keys in dev system
๏ Use provider MFA
November 15, 2016@WICKETT
SIMPLE DEPLOY PIPELINE SECURITY
๏ Only dev keys can push to ‘dev’
๏ Only build/deploy system can push to pre-prod
๏ Integration tests must pass in this env
๏ Security validation must take place
๏ Allow push to prod, only by deploy system
November 15, 2016@WICKETT
SECURITY INTEGRATION TESTING
๏ BDD-Security - github.com/continuumsecurity/bdd-security
๏ Gauntlt - gauntlt.org
November 15, 2016@WICKETT
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
November 15, 2016@WICKETT
DATA FLOW SECURITY
๏ Development
๏ Data Flow Diagrams
๏ Threat modeling
๏ Runtime
November 15, 2016@WICKETT
Application layer DoS
November 15, 2016@WICKETT
TIMEOUTS AND EXECUTION
RESTRICTIONS
November 15, 2016@WICKETT
HTTP / HTTPS
November 15, 2016@WICKETT
ATTACK DETECTION
November 15, 2016@WICKETT
DEVELOPMENT
๏ Normal OWASP tooling
๏ Language filtering and more
November 15, 2016@WICKETT
APPSEC PROBLEMS
November 15, 2016@WICKETT
DEFENSE
๏ Logging, emitting events
๏ Vandium (SQLi) wrapper
๏ Content Security Policy (CSP)
๏ More work needs to be done here…
November 15, 2016@WICKETT
CONCLUSION
๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
๏ New serverless patterns are just emerging
๏ Security with serverless is easier
๏ Security with serverless is harder
November 15, 2016@WICKETT
CONCLUSION (2)
๏ Four key areas apply to serverless security
๏ Software Supply Chain Security
๏ Delivery Pipeline Security
๏ Data Flow Security
๏ Attack Detection
November 15, 2016@WICKETT
November 15, 2016@WICKETT
LET’S TALK!
๏ @wickett
๏ http://info.signalsciences.com/book
November 15, 2016
November 15, 2016