SlideShare a Scribd company logo

Red team-view-gaps-in-the-serverless-application-attack-surface

Priyanka Aash
Priyanka Aash

Source : RSA Conference

Technology
1 of 32
#RSAC SESSION ID: Mike Cotton Red Team View: Gaps in the Serverless Attack Surface. CSV-W12 SVP Research & Development Digital Defense Inc.
#RSAC Overview 2 Shift in Technology -> Shift in Tactics – Serverless Another Major Phase of the Web – From a Security Perspective Maybe Most Significant Shift – We’ve Already Seen The Beginnings of This o Rampant Leaking of Data Cloud Storage Services o Didn’t Make the Technology ‘Customer Proof’ – This Talk Aims to Help Close the Gap o Red Team: (Assessment / PT) -> New Tactics You Can Use o Blue Team: (Dev / DevOps) Ways to Better Lock Down Your Systems
#RSAC Shift in Technology => Shift in Tactics 3 Not a theoretical talk – Going through Real World Examples – Technical Details & Demos – New Tactics We’re Using General Components – API Lambda / Cloud-Function Layer – Looking for Peer Infrastructure – Cloud Storage Layer
Problems
#RSAC API Security / Modern MVVM Frameworks 5 The LAMP Era Had Some Advantages – Hard to Believe but this is True! – Server-Side Rending Masked API and App Details – Administrative Functions Had to be Inferred from Frameworks Modern Javascript Client-Side UI -> API Apps – This is the Typical Stack Deployment for Serverless o Similar to MEAN / MERN, But with Dynamo and Node Runs in Lambda o Android and IOS Mobile Apps: AWS Amplify SDK to API in Cloud – API is the remote interface so it’s not a black box
#RSAC Modern Cloud / App - Complexity 6 Much Steeper Learning Curve Create-React-App HelloWorld – Plus Amplify SDK init APIS – 33,000+ Files in HelloWorld Dir – 85 Files Excluding node_modules – Many Things Being Done For You
#RSAC API Security / Modern MVVM Frameworks 7 Sometimes Partial Security Controls Can Be Problematic – Good Enough to Pass Muster With Dev / Test / DevOps – Lulls you into sense of security – Keep out random pranksters / sweeps – Determined attackers find exposed systems – Bottom Line – It’s important to understand the details
#RSAC PenTest Experience : Undocumented API’s 8 The Basis for Most Custom Discoveries – Target the Infrastructure / Framework – Target the API’s Directly Security Disclosures – Our Zero-Day Advisories (Over 20 in Last 2 Years) o VMWare, Sonicwall, Veritas, ManageEngine, EMC,NUUO, Avaya, etc. Mostly Appliance API abuse. o Bottom Line: Sophisticated Developers Still Have Challenges w/ This. – Similarities to What We See in the Cloud/Serverless: API Abuses o Theme is: Enumerate -> Tamper -> Obtain Admin Access o Complexity of SaaS Disclosures
#RSAC Types of Protection (AWS-Lambda / AWS-Mobile) 9
#RSAC In the Details 10 Public – You Can Access it with Curl – You’ll know format just from Javascript Debugger Protected – Adds in HMAC SHA256 Signing via client token – Client Side Key: AccessKeyID, SecretKey obtained via Cognito Private – Similar Signing Protections to Protected but – Couples that with Authentication, SessionKey
#RSAC Working w/ Protected APIs [DEMO] 11
#RSAC Note On: Key Patterns / AWS-Labs / Git-Secrets
#RSAC API SDK Client-Server Signing HMAC Code Details … Various Versions and Configurations of this – Wraps both Pre-Auth and Post-Auth on Non Public Functions. o AWS This Comes Through Amplify – Key Attributes Are Typically o Signs Headers / Timestamp / Body / Instance Referenced o HMAC SHA256 of the Payload – Can Extract Identity Pool / Keys from Client Debuggers
#RSAC Mobile App -> Protected / Private APIS 14 Mobile Apps: API Enum / Key Retrieval can be Challenging – Particularly if SSL Certificate Pinning Enabled – Prevents MITM even with an SSL Proxy + Root Cert Install Some Tools to Help Here: – Frida-Server - Android Debugger Instrumentation Framework – ADB: Android Debug Bridge (Standard Component) – Genymotion Cloud Android Emulator o Useful for Emulating Various OS Versions o Can Also Use a Local Device Instead of This
#RSAC Dumping Keys / API Calls from Apps … 15
#RSAC Extracting API Endpoints / Keys (Android) [DEMO] 16
#RSAC Recent Experiences With Enumeration & Signing Keys – Start Tampering with API Calls Most Common Patterns – Protected Calls which Should Be Private / Limited o No Validation Check Other Than Signing Layer o Data Leakage / Denial of Wallet Scenarios o Use of Privileged Keys in Apps – Post-Auth Services With Privilege Abuses o Takes Client ID from Request Body Rather then Session o Allowing for Queries and Posts on other Users o Allows Non-Privileged Users to Execute Admin Calls • CreateUserAccount • ModifyPrivileges
#RSAC API Abuse - Real-World [DEMO]
#RSAC SSL Certificate Transparency Infrastructure 19 Built Due to Rogue Certificate Creation – Industry Consortium – Registrars Public Certificate Log – i.e. https://transparencyreport.google.com/https/certificates?hl=en For Serverless Discovery replacing Older Mechanisms – i.e. Nmap Sweeps / Public CIDR Ownership Lookups – We already know the ports, and the hosts are fluid – SSL Use Has Exploded w/ Automated Certificates (i.e. LetsEncrypt) – Browser and Integrations Problems w/o Trusted Connections
#RSAC Cloaked Development Infrastructure 20 New Trend Seen in Assessment Work – Second Layer of Accessible Peer Infrastructure o Development / Testing / Staging Purposes o Often Times the Weak Point in Primary System Compromise • Substantially Weaker / Still w/ Privileged Access Tie-ins. • Similar to Kill Chain Mechanics Against Internal Targets  Compromise Weaker Nodes -> Gain Creds / Access -> Take Primary – Not something traditional architectures have suffered from o Traditional Workflow • Development / Testing Happened Locally • Security Tested / Shipped to Production
#RSAC Cloaked Infrastructure Discovery 21 Common Patterns: Look for Common Naming Patterns – Dev,Prod,Test,Stable,DevStable,etc. Dev Instances Often Are: – More Open Access / More Open to Trivial User Account Combos – Contain Primary Lineup Access Mechanisms o Embedded Privileged Accounts o Valid API Tokens
#RSAC Why This Happens … 22 – Key Drivers Appear to Be o Difficulty of Running the Serverless Service Infrastructure Locally • Services AWS Lambda / DynamoDB / Difficult to Simulate Locally for Development Purposes • Work Being Done in this Area (i.e. ‘Serverless Framework’)  But Production Needs are Running Ahead o Desire for a Uniform Working Deployment Model o Distributed Workforce Can Complicate Remote Access Controls o Not Enough Concern About the Security of Development Test Instances and the Data they Contain.
#RSAC Proper Scoping … 23 Constant Shifting Targets Distributed Nature of Applications Means OSInt Phase need to be beefed up. – Need to Scope Application Subcomponents Differently. – Consider Changing PT Methodology to Allow for Discovery / Enumeration and Dynamic Scope w/ Client. – Have to Avoid Redeployments which can Upend Instances and Permissions
#RSAC Cloud Storage Layer 24 A lot already written on this – Layering on personal experiences from assessment work o Buckets with permissions issues continue to be a huge problem. o Real world: seeing issues > 25% of the time they are in play. o Mostly likely subcomponent to be compromised o Can totally unwind an otherwise secure stack – Since 2016 Changes w/ Certificate Manager o Often encounter Bucket -> Cloudfront -> Webroot o PKI allows for targeting buckets that were previously obscure o Improvements made to permissions in this area, but people still struggling
#RSAC Cloud Storage Layer 25 Typically we’re looking for: – Application API Keys o Generated by developers or users for automated access o By design are long-lived and do not require two-factor o Typically from privileged accounts o Rarely restricted to a handful of calls, typically have full user rights. – Passwords in configuration files – Infrastructure Keys Which can o Don’t target the app but the cloud infrastructure itself o The sorts of configs your local utility scripts use
Solutions
#RSAC Apply, Locking Things Down … Next two-weeks you should: – Identify the serverless infrastructure used by your organization. o (Both production systems and development / test systems) o Use Billing Reports to Help Hunt Down any Rogue Lineups – Implement a repository-credentials protection system o This is important even if you have a private/restricted repo. o Major Cloud Vendors Have Projects to Help You with This • Azure: CredScan Built Task Utility (https://secdevtools.azurewebsites.net/helpcredscan.html) • Amazon: Git-Secrets Github Project (https://github.com/awslabs/git-secrets)
#RSAC Repository Key Protections When Implementing Protections: – Important to: o Scan Existing Repositories when First Implementing Protections o Ensure that Contrib History Does not Still Retain ‘Deleted’ Credentials o Invalidate any keys discovered, even in private repositories. o Check all new checkins / reject bad commits in real-time.
#RSAC AWS-Labs / Git Secrets (Discussion)
#RSAC Apply, Continued … Within one Month: – Verify there is no publically accessible non-production infrastructure o Run Certificate Transparency Queries on Your Systems / Domains • https://transparencyreport.google.com/https/certificates?hl=en • Look For Common Development Patterns (prod,dev,test,stable) – Sit with your development team o Gain an understand of your current API security controls • Map out all the endpoints for each app, and their access levels  Discuss use of public / private / protected APIs  Make a plan to restrict endpoints as necessary in new releases. • Talk through potential rogue-client & app scenarios
#RSAC Apply, Continued … Within 3 months – Move any development or test instances and lineups: o To alternate domains not easily associated with your primary o Regenerate associated SSL certificates and configurations. – Ensure all privileged API keys are accounted for and have appropriate access limits. o Use IAM users and roles and to grant access and set least privilege. • Many times this is loose during development push, not cleaned up later on o Ensure there is a hard line between development key / instance rights and production keys / instances. o Invalidate and re-issue all keys / roles if original controls were not sufficient.
Questions? / Thank You! Contact: Mike.Cotton@digitaldefense.com

Recommended

Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programPriyanka Aash
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverPriyanka Aash
 

Recommended

Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programPriyanka Aash
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverPriyanka Aash
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of DreamsPriyanka Aash
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)Jonathan Cran
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPriyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentPriyanka Aash
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Priyanka Aash
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defensePriyanka Aash
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityFrank Kim
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesPriyanka Aash
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightPriyanka Aash
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO SuccessFrank Kim
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 

More Related Content

What's hot

Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of DreamsPriyanka Aash
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)Jonathan Cran
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPriyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentPriyanka Aash
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Priyanka Aash
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defensePriyanka Aash
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityFrank Kim
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesPriyanka Aash
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightPriyanka Aash
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO SuccessFrank Kim
 

What's hot (20)

Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of Dreams
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security Program
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defense
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It Right
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO Success
 

Similar to Red team-view-gaps-in-the-serverless-application-attack-surface

I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityKarthik Gaekwad
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityPriyanka Aash
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...Paula Januszkiewicz
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityScott Carlson
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 

Similar to Red team-view-gaps-in-the-serverless-application-attack-surface (20)

I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud Security
 
The Pivot
The PivotThe Pivot
The Pivot
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Red team-view-gaps-in-the-serverless-application-attack-surface

  • 1. #RSAC SESSION ID: Mike Cotton Red Team View: Gaps in the Serverless Attack Surface. CSV-W12 SVP Research & Development Digital Defense Inc.
  • 2. #RSAC Overview 2 Shift in Technology -> Shift in Tactics – Serverless Another Major Phase of the Web – From a Security Perspective Maybe Most Significant Shift – We’ve Already Seen The Beginnings of This o Rampant Leaking of Data Cloud Storage Services o Didn’t Make the Technology ‘Customer Proof’ – This Talk Aims to Help Close the Gap o Red Team: (Assessment / PT) -> New Tactics You Can Use o Blue Team: (Dev / DevOps) Ways to Better Lock Down Your Systems
  • 3. #RSAC Shift in Technology => Shift in Tactics 3 Not a theoretical talk – Going through Real World Examples – Technical Details & Demos – New Tactics We’re Using General Components – API Lambda / Cloud-Function Layer – Looking for Peer Infrastructure – Cloud Storage Layer
  • 5. #RSAC API Security / Modern MVVM Frameworks 5 The LAMP Era Had Some Advantages – Hard to Believe but this is True! – Server-Side Rending Masked API and App Details – Administrative Functions Had to be Inferred from Frameworks Modern Javascript Client-Side UI -> API Apps – This is the Typical Stack Deployment for Serverless o Similar to MEAN / MERN, But with Dynamo and Node Runs in Lambda o Android and IOS Mobile Apps: AWS Amplify SDK to API in Cloud – API is the remote interface so it’s not a black box
  • 6. #RSAC Modern Cloud / App - Complexity 6 Much Steeper Learning Curve Create-React-App HelloWorld – Plus Amplify SDK init APIS – 33,000+ Files in HelloWorld Dir – 85 Files Excluding node_modules – Many Things Being Done For You
  • 7. #RSAC API Security / Modern MVVM Frameworks 7 Sometimes Partial Security Controls Can Be Problematic – Good Enough to Pass Muster With Dev / Test / DevOps – Lulls you into sense of security – Keep out random pranksters / sweeps – Determined attackers find exposed systems – Bottom Line – It’s important to understand the details
  • 8. #RSAC PenTest Experience : Undocumented API’s 8 The Basis for Most Custom Discoveries – Target the Infrastructure / Framework – Target the API’s Directly Security Disclosures – Our Zero-Day Advisories (Over 20 in Last 2 Years) o VMWare, Sonicwall, Veritas, ManageEngine, EMC,NUUO, Avaya, etc. Mostly Appliance API abuse. o Bottom Line: Sophisticated Developers Still Have Challenges w/ This. – Similarities to What We See in the Cloud/Serverless: API Abuses o Theme is: Enumerate -> Tamper -> Obtain Admin Access o Complexity of SaaS Disclosures
  • 9. #RSAC Types of Protection (AWS-Lambda / AWS-Mobile) 9
  • 10. #RSAC In the Details 10 Public – You Can Access it with Curl – You’ll know format just from Javascript Debugger Protected – Adds in HMAC SHA256 Signing via client token – Client Side Key: AccessKeyID, SecretKey obtained via Cognito Private – Similar Signing Protections to Protected but – Couples that with Authentication, SessionKey
  • 11. #RSAC Working w/ Protected APIs [DEMO] 11
  • 12. #RSAC Note On: Key Patterns / AWS-Labs / Git-Secrets
  • 13. #RSAC API SDK Client-Server Signing HMAC Code Details … Various Versions and Configurations of this – Wraps both Pre-Auth and Post-Auth on Non Public Functions. o AWS This Comes Through Amplify – Key Attributes Are Typically o Signs Headers / Timestamp / Body / Instance Referenced o HMAC SHA256 of the Payload – Can Extract Identity Pool / Keys from Client Debuggers
  • 14. #RSAC Mobile App -> Protected / Private APIS 14 Mobile Apps: API Enum / Key Retrieval can be Challenging – Particularly if SSL Certificate Pinning Enabled – Prevents MITM even with an SSL Proxy + Root Cert Install Some Tools to Help Here: – Frida-Server - Android Debugger Instrumentation Framework – ADB: Android Debug Bridge (Standard Component) – Genymotion Cloud Android Emulator o Useful for Emulating Various OS Versions o Can Also Use a Local Device Instead of This
  • 15. #RSAC Dumping Keys / API Calls from Apps … 15
  • 16. #RSAC Extracting API Endpoints / Keys (Android) [DEMO] 16
  • 17. #RSAC Recent Experiences With Enumeration & Signing Keys – Start Tampering with API Calls Most Common Patterns – Protected Calls which Should Be Private / Limited o No Validation Check Other Than Signing Layer o Data Leakage / Denial of Wallet Scenarios o Use of Privileged Keys in Apps – Post-Auth Services With Privilege Abuses o Takes Client ID from Request Body Rather then Session o Allowing for Queries and Posts on other Users o Allows Non-Privileged Users to Execute Admin Calls • CreateUserAccount • ModifyPrivileges
  • 18. #RSAC API Abuse - Real-World [DEMO]
  • 19. #RSAC SSL Certificate Transparency Infrastructure 19 Built Due to Rogue Certificate Creation – Industry Consortium – Registrars Public Certificate Log – i.e. https://transparencyreport.google.com/https/certificates?hl=en For Serverless Discovery replacing Older Mechanisms – i.e. Nmap Sweeps / Public CIDR Ownership Lookups – We already know the ports, and the hosts are fluid – SSL Use Has Exploded w/ Automated Certificates (i.e. LetsEncrypt) – Browser and Integrations Problems w/o Trusted Connections
  • 20. #RSAC Cloaked Development Infrastructure 20 New Trend Seen in Assessment Work – Second Layer of Accessible Peer Infrastructure o Development / Testing / Staging Purposes o Often Times the Weak Point in Primary System Compromise • Substantially Weaker / Still w/ Privileged Access Tie-ins. • Similar to Kill Chain Mechanics Against Internal Targets  Compromise Weaker Nodes -> Gain Creds / Access -> Take Primary – Not something traditional architectures have suffered from o Traditional Workflow • Development / Testing Happened Locally • Security Tested / Shipped to Production
  • 21. #RSAC Cloaked Infrastructure Discovery 21 Common Patterns: Look for Common Naming Patterns – Dev,Prod,Test,Stable,DevStable,etc. Dev Instances Often Are: – More Open Access / More Open to Trivial User Account Combos – Contain Primary Lineup Access Mechanisms o Embedded Privileged Accounts o Valid API Tokens
  • 22. #RSAC Why This Happens … 22 – Key Drivers Appear to Be o Difficulty of Running the Serverless Service Infrastructure Locally • Services AWS Lambda / DynamoDB / Difficult to Simulate Locally for Development Purposes • Work Being Done in this Area (i.e. ‘Serverless Framework’)  But Production Needs are Running Ahead o Desire for a Uniform Working Deployment Model o Distributed Workforce Can Complicate Remote Access Controls o Not Enough Concern About the Security of Development Test Instances and the Data they Contain.
  • 23. #RSAC Proper Scoping … 23 Constant Shifting Targets Distributed Nature of Applications Means OSInt Phase need to be beefed up. – Need to Scope Application Subcomponents Differently. – Consider Changing PT Methodology to Allow for Discovery / Enumeration and Dynamic Scope w/ Client. – Have to Avoid Redeployments which can Upend Instances and Permissions
  • 24. #RSAC Cloud Storage Layer 24 A lot already written on this – Layering on personal experiences from assessment work o Buckets with permissions issues continue to be a huge problem. o Real world: seeing issues > 25% of the time they are in play. o Mostly likely subcomponent to be compromised o Can totally unwind an otherwise secure stack – Since 2016 Changes w/ Certificate Manager o Often encounter Bucket -> Cloudfront -> Webroot o PKI allows for targeting buckets that were previously obscure o Improvements made to permissions in this area, but people still struggling
  • 25. #RSAC Cloud Storage Layer 25 Typically we’re looking for: – Application API Keys o Generated by developers or users for automated access o By design are long-lived and do not require two-factor o Typically from privileged accounts o Rarely restricted to a handful of calls, typically have full user rights. – Passwords in configuration files – Infrastructure Keys Which can o Don’t target the app but the cloud infrastructure itself o The sorts of configs your local utility scripts use
  • 27. #RSAC Apply, Locking Things Down … Next two-weeks you should: – Identify the serverless infrastructure used by your organization. o (Both production systems and development / test systems) o Use Billing Reports to Help Hunt Down any Rogue Lineups – Implement a repository-credentials protection system o This is important even if you have a private/restricted repo. o Major Cloud Vendors Have Projects to Help You with This • Azure: CredScan Built Task Utility (https://secdevtools.azurewebsites.net/helpcredscan.html) • Amazon: Git-Secrets Github Project (https://github.com/awslabs/git-secrets)
  • 28. #RSAC Repository Key Protections When Implementing Protections: – Important to: o Scan Existing Repositories when First Implementing Protections o Ensure that Contrib History Does not Still Retain ‘Deleted’ Credentials o Invalidate any keys discovered, even in private repositories. o Check all new checkins / reject bad commits in real-time.
  • 29. #RSAC AWS-Labs / Git Secrets (Discussion)
  • 30. #RSAC Apply, Continued … Within one Month: – Verify there is no publically accessible non-production infrastructure o Run Certificate Transparency Queries on Your Systems / Domains • https://transparencyreport.google.com/https/certificates?hl=en • Look For Common Development Patterns (prod,dev,test,stable) – Sit with your development team o Gain an understand of your current API security controls • Map out all the endpoints for each app, and their access levels  Discuss use of public / private / protected APIs  Make a plan to restrict endpoints as necessary in new releases. • Talk through potential rogue-client & app scenarios
  • 31. #RSAC Apply, Continued … Within 3 months – Move any development or test instances and lineups: o To alternate domains not easily associated with your primary o Regenerate associated SSL certificates and configurations. – Ensure all privileged API keys are accounted for and have appropriate access limits. o Use IAM users and roles and to grant access and set least privilege. • Many times this is loose during development push, not cleaned up later on o Ensure there is a hard line between development key / instance rights and production keys / instances. o Invalidate and re-issue all keys / roles if original controls were not sufficient.
  • 32. Questions? / Thank You! Contact: Mike.Cotton@digitaldefense.com