Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Securing Serverless - By Breaking In

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 31 Anzeige

Securing Serverless - By Breaking In

Herunterladen, um offline zu lesen

Guy Podjarny breaks into a vulnerable serverless application and exploits multiple weaknesses, helping better understand some of the mistakes people make, their implications, and how to avoid them.

Video available on: https://www.infoq.com/presentations/serverless-security-2017

Guy Podjarny breaks into a vulnerable serverless application and exploits multiple weaknesses, helping better understand some of the mistakes people make, their implications, and how to avoid them.

Video available on: https://www.infoq.com/presentations/serverless-security-2017

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Securing Serverless - By Breaking In (20)

Anzeige

Weitere von Guy Podjarny (18)

Aktuellste (20)

Anzeige

Securing Serverless - By Breaking In

  1. 1. snyk.io Securing Serverless - 
 By Breaking In Guy Podjarny, Snyk @guypod
  2. 2. snyk.io About Me • Guy Podjarny, @guypod on Twitter • CEO & Co-founder at Snyk • History: • Cyber Security part of Israel Defense Forces • First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan) • Security: Worked in Sanctum -> Watchfire -> IBM • Performance: Founded Blaze -> CTO @Akamai • O’Reilly author, speaker
  3. 3. snyk.io Serverless Security: The Theory
 (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security
  4. 4. snyk.io Today - straight to practice!
  5. 5. snyk.io Agenda • Show a demo serverless app • Hack it • Explain the security flaws and how to fix them • Summary • Q&A
  6. 6. snyk.io Introducing our app…
  7. 7. snyk.io Vulnerable Libraries
  8. 8. snyk.io Example: Fetch file & store in s3 (Serverless Framework Example) 19 Lines of Code 2 Direct dependencies 19 dependencies(incl. indirect) 191,155 Lines of Code
  9. 9. snyk.io
  10. 10. snyk.io Serverless does secure
 OS dependencies Just not app dependencies
  11. 11. snyk.io 1. Beware Vulnerable Libraries
 (test during dev, monitor over time)
  12. 12. snyk.io Side Note:
 Snyk isn’t only for Serverless
  13. 13. snyk.io Denial of Service
  14. 14. snyk.io 2. ReDoS can still be costly
 (won’t take you down, but can hike up bill)
  15. 15. snyk.io Beware
 Resource Exhaustion Attacks Not all your services elastically scale
  16. 16. snyk.io Secrets
  17. 17. snyk.io 3. Avoid secrets in deployed code
 (env variables aren’t enough - Use a KMS!)
  18. 18. snyk.io Serverless platforms offer a
 Key Management System Just use it!
  19. 19. snyk.io Granularity
  20. 20. snyk.io 4. Deploy granular functions
 (shared function code = greater exposure)
  21. 21. snyk.io AWS Security Policy Easier Policy 3Policy 2 Policy 1 Safer
  22. 22. snyk.io Permissions
  23. 23. snyk.io 5. Use Granular Policies
 (only allow each function its minimum permissions)
  24. 24. snyk.io A function is a perimeter That needs to be secured Perimeter Perimeter Perimeter Perimeter Perimeter
  25. 25. snyk.io Immutability
  26. 26. snyk.io 6. Don’t rely on immutability
 (Lambda - and others - reuse servers)
  27. 27. snyk.io Serverless user is typically
 Low Privilege Reducing impact substantially, but not eliminating it
  28. 28. snyk.io 7. Worry about all functions
 (Every available function increases your attack surface)
  29. 29. snyk.io Summary 1. Beware vulnerable libraries 2. ReDoS can still be costly 3. Avoid secrets in deployed code 4. Deploy granular functions 5. Use Granular Permissions 6. Don’t rely on immutability 7. Worry about all functions
  30. 30. snyk.io Serverless Security: The Theory
 (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security
  31. 31. snyk.io Serverless is defined now.
 Let’s build Security in. Thank You! Guy Podjarny, Snyk @guypod

×