Blockchain - Apt Store for Serverless Apps - Nasir - Serverless Summit
Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security...
Transcript of Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security...
![Page 1: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/1.jpg)
snyk.io
Securing Serverless - By Breaking In
Guy Podjarny, Snyk @guypod
![Page 2: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/2.jpg)
snyk.io
About Me• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History:
• Cyber Security part of Israel Defense Forces
• First Web App Firewall (AppShield), Dynamic/Static Tester (AppScan)
• Security: Worked in Sanctum -> Watchfire -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker
![Page 3: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/3.jpg)
snyk.io
Serverless Security: The Theory(talk from ServerlessConf)
https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security
![Page 4: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/4.jpg)
snyk.io
Today - straight to practice!
![Page 5: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/5.jpg)
snyk.io
Agenda
• Show a demo serverless app
• Hack it
• Explain the security flaws and how to fix them
• Summary
• Q&A
![Page 6: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/6.jpg)
snyk.io
Going Terminal…
![Page 7: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/7.jpg)
snyk.io
Vulnerable Libraries
![Page 8: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/8.jpg)
snyk.io
Example: Fetch file & store in s3 (Serverless Framework Example)
19 Lines of Code
2 Direct dependencies
19 dependencies (incl. indirect)
191,155 Lines of Code
![Page 9: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/9.jpg)
snyk.io
![Page 10: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/10.jpg)
snyk.io
Serverless does secureOS dependencies
Just not app dependencies
![Page 11: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/11.jpg)
snyk.io
1. Beware Vulnerable Libraries(test during dev, monitor over time)
![Page 12: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/12.jpg)
snyk.io
Side Note:Snyk isn’t only for Serverless
![Page 13: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/13.jpg)
snyk.io
Denial of Service
![Page 14: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/14.jpg)
snyk.io
2. ReDoS can still be costly (won’t take you down, but can hike up bill)
![Page 15: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/15.jpg)
snyk.io
BewareResource Exhaustion Attacks
Not all your services elastically scale
![Page 16: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/16.jpg)
snyk.io
Secrets
![Page 17: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/17.jpg)
snyk.io
3. Avoid secrets in deployed code(env variables aren’t enough - Use a KMS!)
![Page 18: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/18.jpg)
snyk.io
Serverless platforms offer aKey Management System
Just use it!
![Page 19: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/19.jpg)
snyk.io
Granularity
![Page 20: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/20.jpg)
snyk.io
4. Deploy granular functions(shared function code = greater exposure)
![Page 21: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/21.jpg)
snyk.io
AWS Security Policy
Easier
Policy 3Policy 2
Policy 1
Safer
![Page 22: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/22.jpg)
snyk.io
Permissions
![Page 23: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/23.jpg)
snyk.io
5. Use Granular Policies(only allow each function its minimum permissions)
![Page 24: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/24.jpg)
snyk.io
A function is a perimeterThat needs to be secured
Perimeter Perimeter
Perimeter
Perimeter
Perimeter
![Page 25: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/25.jpg)
snyk.io
Immutability
![Page 26: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/26.jpg)
snyk.io
6. Don’t rely on immutability(Lambda - and others - reuse servers)
![Page 27: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/27.jpg)
snyk.io
Serverless user is typicallyLow Privilege
Reducing impact substantially, but not eliminating it
![Page 28: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/28.jpg)
snyk.io
7. Worry about all functions (Every available function increases your attack surface)
![Page 29: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/29.jpg)
snyk.io
Security in Serverless
Vulnerabilities in your code
Vulnerable App Dependencies
Permissions
Securing Data at rest
Vulnerable OS Dependencies
Denial of Service
Long-lived Compromised Servers
Third Party Services
Attack Surface
Security Monitoring
Better Neutral Worse
![Page 30: Securing Serverless - By Breaking In · Going Terminal… snyk.io Vulnerable Libraries ... Security in Serverless Vulnerabilities in your code Vulnerable App Dependencies Permissions](https://reader033.fdocuments.net/reader033/viewer/2022053022/604f7a0a87b10369995b4927/html5/thumbnails/30.jpg)
snyk.io
Serverless is defined now.Let’s build Security in.
Thank You!
Guy Podjarny, Snyk @guypod
More to come: Microservices Panel, Mon, 5:25pm
Serverless AMA, Wed, 2:55pm