Slides from my talk at ServerlessConf NYC 2017.
The talk will cover the various aspects of reducing the attack surface on serverless applications with an emphasis on maintaining least privileged access. I’ll cover the possible ways for attackers to leverage an overly permissive application and what might be the impacts of such attempts. In the talk, I’ll present a demo of an open source tool which can help you maintain least privileged roles and policies for your Lambda functions and reduce the overall attack surface on your serverless application.
2. Avi Shulman
Co Founder & CTO @ PureSec
Serverless Security Expert
Security Research - F5 Networks, Argus, Israel Defense Forces
Twitter - @Shulik
3. What Will You Hear About Today?
What influences Serverless attack surface?
What are the exploitability options?
What can be done to minimize the risks?
6. Executes our code
Manages scalability
Keeps data safe in transit
Patches the operating system
Provides isolation
“...IN CLOUD WE TRUST”
CLOUD PROVIDER
7. The Cloud “Operating System”
2
4
1
3
5
Functions
Storage
API Gateways
Streams
Databases
Queues
30. of serverless projects on Github are
improperly configured and
probability contain over privileged
roles
31. Minimize the Attack Surface with PureSec’s Serverless Plugin
Auto-magically creates least privileged
IAM roles for you – with the minimum required
permissions
Reduces the attack surface of
Serverless applications on AWS
Currently supported runtimes: Python & Node.js
Currently supported services: DynamoDB, Kinesis,
KMS, Lambda, S3, SES, SNS & Step Functions
Works with the Serverless Framework
34. Minimize the risk
Construct a proper threat model
Follow best practices and tips
Keep least privileged permissions
Integrate suitable detection and response solutions
PureSec – A security platform for serverless architectures.
Over the past year I have been researching serverless security
Share my perspectives regarding what…
What influences the attack surface – serverless changes the way we build applications – how these changes influence the security and the attack surface.
What are the exploitability options – how attackers think. How attackers can leverage the changes that serverless development brings.
What can be done to minimize the risk – what actions can we take to reduce probability of being successfully attacked.
Shared responsibility concept. – Mark has already mentioned it earlier today, but please notice the great animation
Cloud computing evolution.
The cloud provider is now responsible more layers.
Executes our code – after deploying our functions we trust the cloud provider to execute them.
Manages scalability – we trust that the scale of the application will be fully managed by the providers.
Keeps data safe in transit - when an event is passed to a function we trust that is happened securely.
Patches the operating system – the image of the container in which our code is executed.
Keeps the libraries up-to-date.
Enforces the required permissions.
Provides the required Isolation – between different functions and different customers.
Serverless is not only the compute functionality. Array of services and tools.
The compute part links all the services together.
One term to describe what serverless creates is a Cloud Operating System.
This is important because ... When analyzing and thinking about the attack surface in serverless, we should think about all the components we have, including the services we use.
Every configuration in a service that is connected to our functions – is important for analyzing the attack surface.
Let’s see an example of how a serverless architecture may look like.
1. A quite complicated architecture.
2. How many entry points does this application have?
3. Where should we put the security controls?
4. What are all the possible flows?
5. How can we define what might go wrong?
Understand – an event driven architecture with limited control.
Visualize – distributed logic, micro services.
Test –
How do we test the attack surface when we have difficulties debugging?
How do we perform penetration testing in such applications?
Influential factors on the attack surface:
Complex data flows –
Difficult to trace – API Gateway -> Lambda -> S3 -> Lambda
Traditional security –
What kind of security controls can we enforce?
How do we protect event driven applications?
What shall we do when the operating system and the network are abstracted?
For those of you who wondered.. It's not a real book :)
1. A potential course of events may be…
1. Vulnerability in the cPickle library in Python
2. Deserialization of Untrusted Data
More influential factors are...
Many functions, many IAM roles.
Instead of having several servers, we now have many Lambda functions (AWS), many DynamoDB tables and S3 Buckets…
Lack of visibility – black box.
Tracing requests, having a good understand of what’s going on.
In serverless it becomes easy to add input sources and create new entry points to the system. Increases the probability of having a misconfigured entry point.
CICD processes become much faster, code is easily added to production. It’s harder to remove pieces of code.
1. As you’ve seen in the previous slides…
Speak only about identifying the access
1. This is what an attacker can do if he an over privileged compromised Lambda function.
1. Let’s talk about over permissive roles …
1. Do you want to guess how many projects contain iamRolesStatement?
1. Happy to introduce PureSec’s serverless plugin
Threat modeling –
What is the application is supposed to do?
What the application shouldn’t allow to do?
Trust Level
External dependencies
Entry points
Best practices
Development – input validation, popular frameworks.
Use static & dynamic analysis tools.
Scan for vulnerabilities in 3rd libraries and check their integrity.
Use single purpose functions and limit the functions that have access to sensitive data.
Don’t embed secrets and access keys in code.
Least privileged –
Functions
Deployment System
Solutions. That suite.