Embed Size (px)
Citation preview
the Many-Faced Threatsto the serverless world
hi, I’m Yan Cui
AWS user since 2009
apr, 2016
nov, 2016
recording: https://www.youtube.com/watch?v=s4L5wjFlFzA
slides: http://bit.ly/2tHYFAM
blog posts: http://theburningmonk.com/yubls-road-to-serverless-architecture
Lambda is PCI DSS compliant!
https://aws.amazon.com/compliance/services-in-scope
Shared Responsibility Model
Shared Responsibility Model
protection from OS attacksAmazon automatically apply latest patches to host VMs
still have to patch your codevulnerable code, 3rd party dependencies, etc.
https://snyk.io/blog/owasp-top-10-breaches
Known Vulnerable Components cause 24% of the top 50 data breaches in 2016
https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries
sanitise inputs & outputs(standardise and encapsulate into shared lib)
http://bit.ly/2gSHtay
Broken Access Control
Insecure Direct Object Reference
Information Leakage
GraphQL Injection
app dependency is a large attack surface
further compounded by transient dependencies
security updates are often bundled with unrelated feature and API changes
your security is as strong as its weakest link
OS
Application
Dependencies
physical infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Networkingruns on
needs
Source Code
has
maintains
OS
Application
Dependencies
physical infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Networking
needs
runs on this is where an attacker will target in a movie
Source Code
has
maintains
OS
Dependencies
physical infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
A9
Networkingruns on
needs
Source Code
has
maintains
A1, A3, …
people are often the WEAKEST link in the security chain
OS
Dependencies
physical infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
phishing…
Networkingruns on
needs
Source Code
has
maintains
OS
Dependencies
physical infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
brute force, known account leaks, …
Networkingruns on
needs
Source Code
has
maintains
OS
Dependencies
physical infrastructure
NPM Authors
Container
runs in
runs in
runs in
has
hosted by published by
pushes to
Developers
develops uses
Users
guardsprotects
Application
brute force, known account leaks, …
Networkingruns on
needs
Source Code
has
maintains
http://bit.ly/2sFDwYX
debug, request, react, co, express, moment, gulp, mongoose, mysql, bower, browserify, electron, jasmine, cheerio, modernizr, redux, …
http://bit.ly/2sFDwYX
total downloads/month of the unique packages which I got myself publish access to was 1 972 421 945, that's 20% of the total number of d/m directly.
20% of all monthly NPM downloads…
brute force
known account leaks from other sources
leaked NPM credentials (github, etc.)
http://bit.ly/2sFDwYX
662 users had password “123456” 172 — “123”
124 — “password”
WTF!?!?
oh god, that was too easy…
compromised package is a transient dependency
sigh…
still “works”…
NPM default - get latest “compatible” version, ie. 1.X.X
clean install (eg. on CI server) will download the latest, compromised package without any code change…
NPM default - get latest “compatible” version, ie. 1.X.X
use npm shrinkwrap or upgrade to NPM 5
imagine…
not specific to Node.js or NPM
Shared Responsibility Model
who can invoke the function?
what can the function access?
Least Privilege Principle
don’t leave insecure Lambda functions in VPC
per function policy
requires developer discipline(which means no one would do it)
IAM policies not versioned with Lambda functions
better in Serverless 1.X
AWS Lambda docs
Write your Lambda function code in a stateless style, and
ensure there is no affinity between your code and the
underlying compute infrastructure.
http://amzn.to/2jzLmkb
S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
secure sensitive data both at rest and in-transit
leverage server-side encryption
use API key or IAM roles to protect internal APIs
Minimise function’s access
Least Privilege Principle
Disposability is a virtue
AWS Lambda docs
Delete old Lambda functions that you are no longer using.
http://amzn.to/2jzLmkb
easier said than done…
identifying component ownership in a big IT
organization is challenging
identifying ownership of individual functions is
much harder
more likely to scale through DoS attacks
DoS + per exec billing = Denial of Wallet problem
have to choose between a DoS and a DoW problem…
AWS Shield Advanced also gives you access to the AWS DDoS Response Team (DRT) and protection against DDoS
related spikes in your ELB, CloudFront or Route 53 charges.
async syncS3
SNS SES
CloudFormation CloudWatch Logs
CloudWatch Events Scheduled Events
CodeCommit AWS Config
http://amzn.to/2vs2lIg
Cognito Alexa Lex
API Gateway
streamsDynamoDB Stream
Kinesis Stream
Lambda handles retries (twice, then DLQ)
DoS attack 2+ Retries+
?
DoS attack Regex DoS attack
long Lambda timeout 2+ Retries+
?
Day 1
Day 2
no long-lived compromised servers
containers are reused, avoid sensitive data in /tmp
no accidentally exposed directories
monitor activities in unused regions using CloudWatch Events
set up billing alarms in unused regions
watertight compartments that can contain water in the case of hull breach or other leaks
Michael Nygard
Least Privilege Principle
per function policies
account level isolation
Recap
App dependencies is a much BIGGER attack surface than you probably realise
sanitise inputs and outputs
Least Privilege Principle
here’s your per function policy
NEXT!
S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
encrypt data at rest
S3
AWS IoT
DynamoDB
RDS
EventStore
Elasticsearch Couchbase
Redshift
Neo4j
Google BigQuery
and in-transit
delete unused functions.
DoS DoW*
* Denial of Wallet
no server*
no OS attacks
no long lived compromised servers
* I know I know, there’s still a server somewhere, but it’s managed and secured by AWS engineers who can do a much better job of it than most of us can; and the servers are ephemeral and short-lived
don’t be an unwilling bit miner
don’t be an unwilling bit miner
safeguard your credentials…
prod dev
compartmentalise breaches
people are often the WEAKEST link in the security chain
@theburningmonktheburningmonk.comgithub.com/theburningmonk
