Has Your Security? Your Apps Have Gone Serverless. Rochester …€¦ · Your Apps Have Gone...
Transcript of Has Your Security? Your Apps Have Gone Serverless. Rochester …€¦ · Your Apps Have Gone...
Tal MelamedHead of Security ResearchProtego Labs
Your Apps Have Gone Serverless.Has Your Security?
Rochester Security Summit 2018
2
w w w . p r o t e g o . i o
Follow me @
3
AgendaHousekeeping
What is Serverless?Is serverless security any different?
New Security ChallengesDemo
Top 10 Security RisksWrap-Up
4
www.hackerhalted.com 5
The Evolution of the Cloud
6
Serverless Basics
7
Why Does Serverless Security Any Different?
8
Gap Analysis
9
No ServersNo Perimeter
More ComplexityHigh Velocity
No Servers!Fine Grained
TransparencyEphemeral
10
Cons Pros
Top 10 - Candidates
11
Challenge
12
13
var s3 = new AWS.S3({apiVersion: '2006-03-01'});var params = {Bucket: 'myBucket', Key: imageFileName};var file = require('fs').createWriteStream('/tmp/file.jpg');s3.getObject(params).createReadStream().pipe(file);
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::*"] }]}
Security???
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::myBucket/*"] }]}
Of course I care about security
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource":["arn:aws:s3:::myBucket/*"] }]}
Least privilege*
Security Posture
14
15
Challenge
16
17
Security Observability
18
19
Challenge
20
21
Before After
Application Security
22
23
Demo: SlackAttack
24
25
The Setup
#1: Validate the Vulnerablity
26
#2: Extract the source code
#3: Read Environment Vars
#4: Impersonate the Function
#5: Steal Some Stuff
Attack Steps
27
Event InjectionVulnerable Dependencies
Open ResourcesOver-Privileged Functions
Sensitive Data ExposureDoW / DoS
Execution Flow ManipulationInsecure Shared Space
Insufficient Logging & MonitoringInsecure Secret Management
What can we do about it?
28
29
www.protego.io/blog
OWASP Serverless Top 10https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project
30
Get Involved
Get Going!
31
32
Thanks!
Tal Melamed
@_nu11p0inter
www.protego.io
@ProtegoLabs
Any questions?