Has Your Security? Your Apps Have Gone Serverless. Rochester …€¦ · Your Apps Have Gone...
32
Tal Melamed Head of Security Research Protego Labs Your Apps Have Gone Serverless. Has Your Security? Rochester Security Summit 2018
Transcript of Has Your Security? Your Apps Have Gone Serverless. Rochester …€¦ · Your Apps Have Gone...
Tal MelamedHead of Security ResearchProtego Labs
Your Apps Have Gone Serverless.Has Your Security?
Rochester Security Summit 2018
2
w w w . p r o t e g o . i o
Follow me @
3
AgendaHousekeeping
What is Serverless?Is serverless security any different?
New Security ChallengesDemo
Top 10 Security RisksWrap-Up
4
www.hackerhalted.com 5
The Evolution of the Cloud
6
Serverless Basics
7
Why Does Serverless Security Any Different?
8
Gap Analysis
9
No ServersNo Perimeter
More ComplexityHigh Velocity
No Servers!Fine Grained
TransparencyEphemeral
10
Cons Pros
Top 10 - Candidates
11
Challenge
12
13
var s3 = new AWS.S3({apiVersion: '2006-03-01'});var params = {Bucket: 'myBucket', Key: imageFileName};var file = require('fs').createWriteStream('/tmp/file.jpg');s3.getObject(params).createReadStream().pipe(file);
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::*"] }]}
Security???
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::myBucket/*"] }]}
Of course I care about security
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource":["arn:aws:s3:::myBucket/*"] }]}
Least privilege*
Security Posture
14
15
Challenge
16
17
Security Observability
18
19
Challenge
20
21
Before After
Application Security
22
23
Demo: SlackAttack
24
25
The Setup
#1: Validate the Vulnerablity
26
#2: Extract the source code
#3: Read Environment Vars
#4: Impersonate the Function
#5: Steal Some Stuff
Attack Steps
27
Event InjectionVulnerable Dependencies
Open ResourcesOver-Privileged Functions
Sensitive Data ExposureDoW / DoS
Execution Flow ManipulationInsecure Shared Space
Insufficient Logging & MonitoringInsecure Secret Management
What can we do about it?
28
29
www.protego.io/blog
OWASP Serverless Top 10https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project
30
Get Involved
Get Going!
31
32
Thanks!
Tal Melamed
@_nu11p0inter
www.protego.io
@ProtegoLabs
Any questions?
