SlideShare ist ein Scribd-Unternehmen logo
1 von 39
Downloaden Sie, um offline zu lesen
Singapore | 28 Feb - 01 Mar 2019
An Attacker's View of Serverless
and GraphQL Apps
Sharath Kumar Ramadas
Singapore | 28 Feb - 01 Mar 2019
About Me
• Lead Solutions Engineer
• we45 - An AppSec Company
• Trainer - DevSecOps, Containers & Serverless
• Developer - DVFAAS, Orchestron &
ThreatPlayBook
• Developer → DevOps → DevSecOps
@sharathkramadas
@sharathkramadas
Singapore | 28 Feb - 01 Mar 2019
Agenda
• Intro to Serverless
• Serverless Attacks
• Intro to GraphQL
• GraphQL Attacks
• Demos
Singapore | 28 Feb - 01 Mar 2019
SERVERLESS
Singapore | 28 Feb - 01 Mar 2019
Serverless
• Functions deployed as ephemeral
containers/vms
• Functions As A Service (FAAS)
• Event trigger architecture
• Supports major runtimes
• Python, NodeJS, C#, GO, Ruby
• Custom runtime also
Singapore | 28 Feb - 01 Mar 2019
Serverless Journey
Singapore | 28 Feb - 01 Mar 2019
Functions
Singapore | 28 Feb - 01 Mar 2019
Why Serverless?
• Pay per usage
• No server management
• Microservices Friendly
• Auto-Scalable
• Focus on code/features, don’t worry
about servers
Singapore | 28 Feb - 01 Mar 2019
FAAS Providers
Singapore | 28 Feb - 01 Mar 2019
Architecture
Singapore | 28 Feb - 01 Mar 2019
Serverless Use-Cases
• ChatBots
• Event driven apps
• Notification Channels (SMS, Email)
• Scheduled Jobs
• Product websites
• Lot more …..
Singapore | 28 Feb - 01 Mar 2019
Let’s Deploy!
Singapore | 28 Feb - 01 Mar 2019
Functions with Events
Singapore | 28 Feb - 01 Mar 2019
An Attacker’s View
• Functions are still code
• No frameworks involved
• Functions as events increases attack surface
• Developers are new to servers
• Still needs configuration
Singapore | 28 Feb - 01 Mar 2019
Attackers are Snipers!
• Aimed
• Committed
• Patient
• Invisible
• Takes clear Shot
Singapore | 28 Feb - 01 Mar 2019
Claim your expenses
Singapore | 28 Feb - 01 Mar 2019
Extensive Privileged Functions
• Functions with extensive privileges lead to infrastructure compromise
• Cloud providers store secrets in plain text
• Misconfigured roles can lead to wide spectrum of attacks
• Events are most vulnerable due to lack of Authentication and
Authorization
• Pay per usage model turns out to be expensive.
Singapore | 28 Feb - 01 Mar 2019
Accenture S3 Breach
Singapore | 28 Feb - 01 Mar 2019
Fedex Breach
Singapore | 28 Feb - 01 Mar 2019
Serverless Top 10
• Event data injection
• Broken Authentication
• Insecure deployment configuration
• Over privileged function permissions & roles
• Inadequate function monitoring and logging
• Insecure 3rd party dependencies
• Insecure application secrets storage
• DOS and Financial resource exhaustion
• Function Execution Flow Manipulation
• Improper Exception Handling and Verbose Error Messages
Singapore | 28 Feb - 01 Mar 2019
Serverless (Security) Best Practices
• Functions with minimal access credentials
• Remove insecure dependencies before production
• Run SAST scans before code commit
• Restrict memory usage for a function
• Encrypt the secrets avoid environment variables
• Use FAAS providers authorization for access control (ex: AWS Cognito)
• Write security test cases and run in CI/CD
@sharathkramadas
Singapore | 28 Feb - 01 Mar 2019
GraphQL
Singapore | 28 Feb - 01 Mar 2019
GraphQL
• A query language for API
• Tech from Facebook
• Query what you want forget about the ‘REST’
• Single endpoint for API calls
• Lightweight
Singapore | 28 Feb - 01 Mar 2019
REST GraphQL
VS
Singapore | 28 Feb - 01 Mar 2019
Terminology
• Type
• Schema
• Query
• Mutation
• Subscription
• Introspection
• Schema Stitching
Singapore | 28 Feb - 01 Mar 2019
Let’s Demo
Singapore | 28 Feb - 01 Mar 2019
An Attacker’s View
• No response size limiting
• Introspection is nice!
• Single endpoint access control
Singapore | 28 Feb - 01 Mar 2019
Demo
Want to get more powers!
Singapore | 28 Feb - 01 Mar 2019
Mass Assignment
• Frameworks allow to save the raw dump of HTTP request data
• Attackers can guess the sensitive fields
• Sensitive fields can allow to escalate privileges
• GraphQL has introspection enabled by default
• Introspection leaks the sensitive fields information
• GraphQL supports JSON Scalar
Singapore | 28 Feb - 01 Mar 2019
GitHub Attack
Singapore | 28 Feb - 01 Mar 2019
Let’s burn few dollars
Singapore | 28 Feb - 01 Mar 2019
Serverless Cost
Singapore | 28 Feb - 01 Mar 2019
Resource Exhaustion
• aka Denial-Of-Service attack
• Overwhelmed requests to crash the server
• Causes memory leak and resource exhaust
• Serverless + GraphQL = (pay per usage + scale)
• 2 million requests * 3 dollar per query = (I will live it to your
imagination!)
Singapore | 28 Feb - 01 Mar 2019
Recent Attack
Singapore | 28 Feb - 01 Mar 2019
GraphQL (Security) Best Practices
• Disable introspection
• Disable playground in production
• Limit the query size
• Depth limiting for nested queries
• Avoid scalars use input types
Singapore | 28 Feb - 01 Mar 2019
Hack It Yourself!
https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service
Singapore | 28 Feb - 01 Mar 2019
Things to consider
• OWASP Top 10
• Serverless Top 10
• SAST and SCA tools
• Threat-Modeling
Singapore | 28 Feb - 01 Mar 2019
Key Takeaways
• Serverless security is still an application security problem
• Roles and Permissions should be well thought of
• Secure coding practices need to be followed
• Resource limitations is highly recommended
Singapore | 28 Feb - 01 Mar 2019
Thank You
@sharathkramadas
@sharathkramadas

Weitere ähnliche Inhalte

Was ist angesagt?

I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends FastI Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends FastApigee | Google Cloud
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
Building Resilient Microservices
Building Resilient Microservices Building Resilient Microservices
Building Resilient Microservices IndicThreads
 
Serverless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration serviceServerless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration serviceBizTalk360
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsStephane Woillez
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
IoTCraft - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft  - Chennai - meetup - ZettaJS - IoT IntroIoTCraft  - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft - Chennai - meetup - ZettaJS - IoT IntroAnil Sagar
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays
 
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...Daniel Zivkovic
 
Zetta: An API First Platform
Zetta: An API First PlatformZetta: An API First Platform
Zetta: An API First PlatformAPI Meetup
 
Move Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix APIMove Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix APISangeeta Narayanan
 
Edge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentEdge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentApigee | Google Cloud
 
Developer Services: Making Developers Successful
Developer Services: Making Developers SuccessfulDeveloper Services: Making Developers Successful
Developer Services: Making Developers SuccessfulApigee | Google Cloud
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Apigee | Google Cloud
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSApigee | Google Cloud
 

Was ist angesagt? (20)

I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends FastI Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven Security
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
Building Resilient Microservices
Building Resilient Microservices Building Resilient Microservices
Building Resilient Microservices
 
Serverless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration serviceServerless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration service
 
API Design Workflows
API Design WorkflowsAPI Design Workflows
API Design Workflows
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and Operations
 
Webcast: Apigee Edge Product Demo
Webcast: Apigee Edge Product DemoWebcast: Apigee Edge Product Demo
Webcast: Apigee Edge Product Demo
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
IoTCraft - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft  - Chennai - meetup - ZettaJS - IoT IntroIoTCraft  - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft - Chennai - meetup - ZettaJS - IoT Intro
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
 
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
 
Zetta: An API First Platform
Zetta: An API First PlatformZetta: An API First Platform
Zetta: An API First Platform
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
Move Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix APIMove Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix API
 
Edge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentEdge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app development
 
Developer Services: Making Developers Successful
Developer Services: Making Developers SuccessfulDeveloper Services: Making Developers Successful
Developer Services: Making Developers Successful
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaS
 

Ähnlich wie DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas

DevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal RelanDevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal RelanKunal Relan
 
Pros & Cons of Microservices Architecture
Pros & Cons of Microservices ArchitecturePros & Cons of Microservices Architecture
Pros & Cons of Microservices ArchitectureAshwini Kuntamukkala
 
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service FabricTokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service FabricTokyo Azure Meetup
 
What serverless means for enterprise apps
What serverless means for enterprise appsWhat serverless means for enterprise apps
What serverless means for enterprise appsSumit Sarkar
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentestingPriyanka Aash
 
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...NUS-ISS
 
Azuresatpn19 - An Introduction To Azure Data Factory
Azuresatpn19 - An Introduction To Azure Data FactoryAzuresatpn19 - An Introduction To Azure Data Factory
Azuresatpn19 - An Introduction To Azure Data FactoryRiccardo Perico
 
Hybrid Integration with BizTalk Server - ACSUG
Hybrid Integration with BizTalk Server - ACSUGHybrid Integration with BizTalk Server - ACSUG
Hybrid Integration with BizTalk Server - ACSUGWagner Silveira
 
Serverless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesServerless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesUnderscore VC
 
Serverless in the Azure World
Serverless in the Azure WorldServerless in the Azure World
Serverless in the Azure WorldKasun Kodagoda
 
ServiceFabric-Arch
ServiceFabric-ArchServiceFabric-Arch
ServiceFabric-ArchSaravanan G
 
The Future of Serverless
The Future of ServerlessThe Future of Serverless
The Future of ServerlessWSO2
 
Anatomy of an Enterprise Integration Architecture
Anatomy of an Enterprise Integration ArchitectureAnatomy of an Enterprise Integration Architecture
Anatomy of an Enterprise Integration ArchitectureDaniel Toomey
 
ArchitectNow - Designing Cloud-Native apps in Microsoft Azure
ArchitectNow  -  Designing Cloud-Native apps in Microsoft AzureArchitectNow  -  Designing Cloud-Native apps in Microsoft Azure
ArchitectNow - Designing Cloud-Native apps in Microsoft AzureKevin Grossnicklaus
 
2 speed it powered by microsoft azure
2 speed it powered by microsoft azure2 speed it powered by microsoft azure
2 speed it powered by microsoft azureMichael Stephenson
 
Comparing Legacy and Modern e-commerce solutions
Comparing Legacy and Modern e-commerce solutionsComparing Legacy and Modern e-commerce solutions
Comparing Legacy and Modern e-commerce solutionsMike Ensor
 

Ähnlich wie DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas (20)

DevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal RelanDevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal Relan
 
Pros & Cons of Microservices Architecture
Pros & Cons of Microservices ArchitecturePros & Cons of Microservices Architecture
Pros & Cons of Microservices Architecture
 
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service FabricTokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
 
What serverless means for enterprise apps
What serverless means for enterprise appsWhat serverless means for enterprise apps
What serverless means for enterprise apps
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
 
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
 
Azuresatpn19 - An Introduction To Azure Data Factory
Azuresatpn19 - An Introduction To Azure Data FactoryAzuresatpn19 - An Introduction To Azure Data Factory
Azuresatpn19 - An Introduction To Azure Data Factory
 
Hybrid Integration with BizTalk Server - ACSUG
Hybrid Integration with BizTalk Server - ACSUGHybrid Integration with BizTalk Server - ACSUG
Hybrid Integration with BizTalk Server - ACSUG
 
Serverless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesServerless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment Opportunities
 
Serverless in the Azure World
Serverless in the Azure WorldServerless in the Azure World
Serverless in the Azure World
 
ServiceFabric-Arch
ServiceFabric-ArchServiceFabric-Arch
ServiceFabric-Arch
 
Serverless
ServerlessServerless
Serverless
 
The Future of Serverless
The Future of ServerlessThe Future of Serverless
The Future of Serverless
 
Anatomy of an Enterprise Integration Architecture
Anatomy of an Enterprise Integration ArchitectureAnatomy of an Enterprise Integration Architecture
Anatomy of an Enterprise Integration Architecture
 
ArchitectNow - Designing Cloud-Native apps in Microsoft Azure
ArchitectNow  -  Designing Cloud-Native apps in Microsoft AzureArchitectNow  -  Designing Cloud-Native apps in Microsoft Azure
ArchitectNow - Designing Cloud-Native apps in Microsoft Azure
 
2 speed it powered by microsoft azure
2 speed it powered by microsoft azure2 speed it powered by microsoft azure
2 speed it powered by microsoft azure
 
Super charged prototyping
Super charged prototypingSuper charged prototyping
Super charged prototyping
 
Azure functions serverless
Azure functions serverlessAzure functions serverless
Azure functions serverless
 
Comparing Legacy and Modern e-commerce solutions
Comparing Legacy and Modern e-commerce solutionsComparing Legacy and Modern e-commerce solutions
Comparing Legacy and Modern e-commerce solutions
 
Tech Talks Microservices
Tech Talks MicroservicesTech Talks Microservices
Tech Talks Microservices
 

Mehr von DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon
 
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon
 
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)DevSecCon
 
DevSecCon London 2018: Security in the serverless world
DevSecCon London 2018: Security in the serverless worldDevSecCon London 2018: Security in the serverless world
DevSecCon London 2018: Security in the serverless worldDevSecCon
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon
 
DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon
 
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud ComplianceDevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud ComplianceDevSecCon
 
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10DevSecCon
 

Mehr von DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
 
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
 
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
 
DevSecCon London 2018: Security in the serverless world
DevSecCon London 2018: Security in the serverless worldDevSecCon London 2018: Security in the serverless world
DevSecCon London 2018: Security in the serverless world
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
 
DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?
 
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud ComplianceDevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
 
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
 

Kürzlich hochgeladen

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Kürzlich hochgeladen (20)

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas

  • 1. Singapore | 28 Feb - 01 Mar 2019 An Attacker's View of Serverless and GraphQL Apps Sharath Kumar Ramadas
  • 2. Singapore | 28 Feb - 01 Mar 2019 About Me • Lead Solutions Engineer • we45 - An AppSec Company • Trainer - DevSecOps, Containers & Serverless • Developer - DVFAAS, Orchestron & ThreatPlayBook • Developer → DevOps → DevSecOps @sharathkramadas @sharathkramadas
  • 3. Singapore | 28 Feb - 01 Mar 2019 Agenda • Intro to Serverless • Serverless Attacks • Intro to GraphQL • GraphQL Attacks • Demos
  • 4. Singapore | 28 Feb - 01 Mar 2019 SERVERLESS
  • 5. Singapore | 28 Feb - 01 Mar 2019 Serverless • Functions deployed as ephemeral containers/vms • Functions As A Service (FAAS) • Event trigger architecture • Supports major runtimes • Python, NodeJS, C#, GO, Ruby • Custom runtime also
  • 6. Singapore | 28 Feb - 01 Mar 2019 Serverless Journey
  • 7. Singapore | 28 Feb - 01 Mar 2019 Functions
  • 8. Singapore | 28 Feb - 01 Mar 2019 Why Serverless? • Pay per usage • No server management • Microservices Friendly • Auto-Scalable • Focus on code/features, don’t worry about servers
  • 9. Singapore | 28 Feb - 01 Mar 2019 FAAS Providers
  • 10. Singapore | 28 Feb - 01 Mar 2019 Architecture
  • 11. Singapore | 28 Feb - 01 Mar 2019 Serverless Use-Cases • ChatBots • Event driven apps • Notification Channels (SMS, Email) • Scheduled Jobs • Product websites • Lot more …..
  • 12. Singapore | 28 Feb - 01 Mar 2019 Let’s Deploy!
  • 13. Singapore | 28 Feb - 01 Mar 2019 Functions with Events
  • 14. Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • Functions are still code • No frameworks involved • Functions as events increases attack surface • Developers are new to servers • Still needs configuration
  • 15. Singapore | 28 Feb - 01 Mar 2019 Attackers are Snipers! • Aimed • Committed • Patient • Invisible • Takes clear Shot
  • 16. Singapore | 28 Feb - 01 Mar 2019 Claim your expenses
  • 17. Singapore | 28 Feb - 01 Mar 2019 Extensive Privileged Functions • Functions with extensive privileges lead to infrastructure compromise • Cloud providers store secrets in plain text • Misconfigured roles can lead to wide spectrum of attacks • Events are most vulnerable due to lack of Authentication and Authorization • Pay per usage model turns out to be expensive.
  • 18. Singapore | 28 Feb - 01 Mar 2019 Accenture S3 Breach
  • 19. Singapore | 28 Feb - 01 Mar 2019 Fedex Breach
  • 20. Singapore | 28 Feb - 01 Mar 2019 Serverless Top 10 • Event data injection • Broken Authentication • Insecure deployment configuration • Over privileged function permissions & roles • Inadequate function monitoring and logging • Insecure 3rd party dependencies • Insecure application secrets storage • DOS and Financial resource exhaustion • Function Execution Flow Manipulation • Improper Exception Handling and Verbose Error Messages
  • 21. Singapore | 28 Feb - 01 Mar 2019 Serverless (Security) Best Practices • Functions with minimal access credentials • Remove insecure dependencies before production • Run SAST scans before code commit • Restrict memory usage for a function • Encrypt the secrets avoid environment variables • Use FAAS providers authorization for access control (ex: AWS Cognito) • Write security test cases and run in CI/CD @sharathkramadas
  • 22. Singapore | 28 Feb - 01 Mar 2019 GraphQL
  • 23. Singapore | 28 Feb - 01 Mar 2019 GraphQL • A query language for API • Tech from Facebook • Query what you want forget about the ‘REST’ • Single endpoint for API calls • Lightweight
  • 24. Singapore | 28 Feb - 01 Mar 2019 REST GraphQL VS
  • 25. Singapore | 28 Feb - 01 Mar 2019 Terminology • Type • Schema • Query • Mutation • Subscription • Introspection • Schema Stitching
  • 26. Singapore | 28 Feb - 01 Mar 2019 Let’s Demo
  • 27. Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • No response size limiting • Introspection is nice! • Single endpoint access control
  • 28. Singapore | 28 Feb - 01 Mar 2019 Demo Want to get more powers!
  • 29. Singapore | 28 Feb - 01 Mar 2019 Mass Assignment • Frameworks allow to save the raw dump of HTTP request data • Attackers can guess the sensitive fields • Sensitive fields can allow to escalate privileges • GraphQL has introspection enabled by default • Introspection leaks the sensitive fields information • GraphQL supports JSON Scalar
  • 30. Singapore | 28 Feb - 01 Mar 2019 GitHub Attack
  • 31. Singapore | 28 Feb - 01 Mar 2019 Let’s burn few dollars
  • 32. Singapore | 28 Feb - 01 Mar 2019 Serverless Cost
  • 33. Singapore | 28 Feb - 01 Mar 2019 Resource Exhaustion • aka Denial-Of-Service attack • Overwhelmed requests to crash the server • Causes memory leak and resource exhaust • Serverless + GraphQL = (pay per usage + scale) • 2 million requests * 3 dollar per query = (I will live it to your imagination!)
  • 34. Singapore | 28 Feb - 01 Mar 2019 Recent Attack
  • 35. Singapore | 28 Feb - 01 Mar 2019 GraphQL (Security) Best Practices • Disable introspection • Disable playground in production • Limit the query size • Depth limiting for nested queries • Avoid scalars use input types
  • 36. Singapore | 28 Feb - 01 Mar 2019 Hack It Yourself! https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service
  • 37. Singapore | 28 Feb - 01 Mar 2019 Things to consider • OWASP Top 10 • Serverless Top 10 • SAST and SCA tools • Threat-Modeling
  • 38. Singapore | 28 Feb - 01 Mar 2019 Key Takeaways • Serverless security is still an application security problem • Roles and Permissions should be well thought of • Secure coding practices need to be followed • Resource limitations is highly recommended
  • 39. Singapore | 28 Feb - 01 Mar 2019 Thank You @sharathkramadas @sharathkramadas