Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Serverless Security: Doing Security in 100 milliseconds

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 126 Anzeige

Serverless Security: Doing Security in 100 milliseconds

Herunterladen, um offline zu lesen

Talk on serverless security with a brief history of cloud, containers and now serverless. This talk also features serverless patterns, and security considerations needed in this new environment. This talk was given at AppSecUSA 2016.

Talk on serverless security with a brief history of cloud, containers and now serverless. This talk also features serverless patterns, and security considerations needed in this new environment. This talk was given at AppSecUSA 2016.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Serverless Security: Doing Security in 100 milliseconds (20)

Anzeige

Weitere von James Wickett (20)

Aktuellste (20)

Anzeige

Serverless Security: Doing Security in 100 milliseconds

  1. 1. @WICKETT DOING SECURITY IN 100 MILLISECONDS SERVERLESS SECURITY
  2. 2. @WICKETT JAMES WICKETT ๏ Head of Research at Signal Sciences ๏ Author at Lynda/LinkedIn Training for DevOps Fundamentals course releasing in November ๏ Blogger at theagileadmin.com and labs.signalsciences.com
  3. 3. @WICKETT DEVOPS ROADMAP FOR SECURITY http://info.signalsciences.com/book
  4. 4. @WICKETT ๏ Web App Firewall for modern workloads ๏ Cloud-native and devops friendly ๏ Answer the questions: Am I being attacked right now? Are attackers becoming successful? ๏ We are hiring (Golang, appsec, devops) @WICKETT
  5. 5. @WICKETT
  6. 6. @WICKETT
  7. 7. @WICKETT CONCLUSION ๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. ๏ New serverless patterns are just emerging ๏ Security with serverless is easier ๏ Security with serverless is harder
  8. 8. @WICKETT CONCLUSION (2) ๏ Four key areas apply to serverless security ๏ Software Supply Chain Security ๏ Delivery Pipeline Security ๏ Data Flow Security ๏ Attack Detection
  9. 9. @WICKETT WHAT IS SERVERLESS?
  10. 10. @WICKETT MISCONCEPTIONS
  11. 11. @WICKETT IT’S MARKETING (CLOUD REBRANDED)
  12. 12. @WICKETT SERVERLESS == NO SERVERS
  13. 13. @WICKETT SERVERLESS == CLOUD
  14. 14. @WICKETT SERVERLESS == BACKEND AS A SERVICE
  15. 15. @WICKETT SERVERLESS == PLATFORM AS A SERVICE
  16. 16. @WICKETT
  17. 17. @WICKETT SO, WHAT IS SERVERLESS?
  18. 18. @WICKETT http://martinfowler.com/articles/serverless.html
  19. 19. @WICKETT @MIKEBROBERTS
  20. 20. @WICKETT Serverless was first used to describe applications that significantly or fully depend on 3rd party applications / services (‘in the cloud’) to manage server-side logic and state. http://martinfowler.com/articles/serverless.html
  21. 21. @WICKETT Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is run in stateless compute containers that are event- triggered, ephemeral (may only last for one invocation), and fully managed by a 3rd party. http://martinfowler.com/articles/serverless.html
  22. 22. @WICKETT HISTORY OF SERVERLESS ๏ 2012 - used to describe BaaS and Continuous Integration services run by third parties ๏ Late 2014 - AWS launched Lambda ๏ July 2015 - AWS launched API Gateway ๏ October 2015 - AWS re:Invent - The Serverless company using AWS Lambda ๏ 2015 to present - Frameworks forming ๏ 2016 - Serverless Conference http://www.slideshare.net/AmazonWebServices/arc308- the-serverless-company-using-aws-lambda
  23. 23. @WICKETT Client Server Database Proxy/LB Server Server
  24. 24. @WICKETT Client Auth Service API Gateway Database Service Function A Function B Web Delivery
  25. 25. @WICKETT
  26. 26. @WICKETT WHAT CAN WE SAY IS SERVERLESS?
  27. 27. @WICKETT SERVERLESS IS FUNCTIONS AS A SERVICE (FaaS)
  28. 28. @WICKETT BUT, BUT… CONTAINERS!
  29. 29. @WICKETT CONTAINERS … ON DEMAND
  30. 30. @WICKETT SERVERLESS IS (NO MANAGEMENT OF) SERVERS
  31. 31. @WICKETT SERVERLESS IS SERVICEFULL
  32. 32. @WICKETT SERVERLESS IS AN OPINIONATED FRAMEWORK FOR COMPUTE
  33. 33. @WICKETT Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
  34. 34. @WICKETT A SHORT HISTORY OF CLOUD
  35. 35. @WICKETT VIRTUALIZATION
  36. 36. @WICKETT “THE CLOUD”
  37. 37. @WICKETT DEVOPS
  38. 38. @WICKETT SaaS PaaS IaaS
  39. 39. @WICKETT PRIVATE CLOUD
  40. 40. @WICKETT THEN, ALONG CAME CONTAINERS
  41. 41. @WICKETT CONTAINERS ARE TEH HAWTNESS
  42. 42. @WICKETT
  43. 43. @WICKETT LOTS OF EFFORT IN CONTAINER ORCHESTRATION
  44. 44. @WICKETT THE CLOUD WAS TO VIRTUALIZATION AS SERVERLESS WILL BE TO CONTAINERS
  45. 45. @WICKETT IF YOU WANT TO LEAD YOUR COMPANY BRAVELY INTO THE NEW WORLD, YOU WOULD DO WELL TO FOCUS LOT ON HOW SERVERLESS WILL EVOLVE. - @CLOUDOPINION https://medium.com/@cloud_opinion/the-pattern-may- repeat-26de1e8b489d
  46. 46. @WICKETT Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation.
  47. 47. @WICKETT SO, WHAT ARE THE UPSIDES?
  48. 48. @WICKETT SCALING BUILT IN
  49. 49. @WICKETT PAY FOR WHAT YOU USE IN 100MS INCREMENTS
  50. 50. @WICKETT WITH SERVERLESS SYSTEM ADMINISTRATION IS (MOSTLY) LOWER
  51. 51. @WICKETT SERVERLESS IS IMPLICIT MICROSERVICES
  52. 52. @WICKETT SHORT CIRCUITS OPS AND MOVES INFRASTRUCTURE RUNTIME CLOSER TO DEVS
  53. 53. @WICKETT YOU CAN SKIP CHEFFING DOCKERING ALL THE THINGS!
  54. 54. @WICKETT LEAN STARTUP FRIENDLY
  55. 55. @WICKETT INCREASED VELOCITY
  56. 56. @WICKETT GREAT, WHAT’S THE CATCH?
  57. 57. @WICKETT OPS BURDEN TO RATIONALIZE SERVERLESS MODEL (SPECIFICALLY DEPLOY)
  58. 58. @WICKETT MONITORING
  59. 59. @WICKETT LOGGING
  60. 60. @WICKETT STATELESS FOR REAL NO MEMORY PERSISTENCE ACROSS FUNCTION RUNS
  61. 61. @WICKETT VENDOR LOCK-IN
  62. 62. @WICKETT SECURITY
  63. 63. @WICKETT RELIABILITY
  64. 64. @WICKETT
  65. 65. @WICKETT SERVERLESS USE CASES
  66. 66. @WICKETT IMAGE RESIZING
  67. 67. @WICKETT QUEUE PROCESSING http://martinfowler.com/articles/serverless.html
  68. 68. @WICKETT RUN A WEB APPLICATION
  69. 69. @WICKETT API GATEWAY http://martinfowler.com/articles/serverless.html
  70. 70. @WICKETT CI/CD
  71. 71. @WICKETT LICENSING
  72. 72. @WICKETT SECURITY IS THE SAME AND DIFFERENT
  73. 73. @WICKETT EVERYTHING IS HTTP(S)
  74. 74. @WICKETT WHAT USED TO BE SYSTEM CALLS IS NOW DISTRIBUTED COMPUTING OVER THE NETWORK
  75. 75. @WICKETT SERVERLESS SHIFTS ATTACK SURFACE TO THIRD PARTIES
  76. 76. @WICKETT LETS TRY A SAMPLE APPLICATION IN AWS
  77. 77. @WICKETT ๏ Golang! ๏ AWS Lambda supports bring your own binary ๏ Sparta wraps your binary with node.js shim
  78. 78. @WICKETT
  79. 79. @WICKETT OTHER OPTIONS ๏ Serverless Framework ๏ APEX ๏ Kappa
  80. 80. @WICKETT WORDY ๏ Analyzes textual occurrences given a block of text, returns JSON count of words ๏ Calls API under the hood to get text ๏ It is comprised of Lambda, s3, API Gateway
  81. 81. @WICKETT
  82. 82. @WICKETT
  83. 83. @WICKETT
  84. 84. @WICKETT go run main.go provision -s S3_BUCKET
  85. 85. @WICKETT
  86. 86. @WICKETT
  87. 87. @WICKETT
  88. 88. @WICKETT
  89. 89. @WICKETT
  90. 90. @WICKETT
  91. 91. @WICKETT
  92. 92. @WICKETT
  93. 93. @WICKETT
  94. 94. @WICKETT WHAT I LEARNED ABOUT SERVERLESS SECURITY
  95. 95. @WICKETT
  96. 96. @WICKETT FOUR AREAS OF SERVERLESS SECURITY ๏ Secure Software Supply Chain ๏ Delivery Pipeline ๏ Data Flow Security ๏ Attack Detection
  97. 97. @WICKETT
  98. 98. @WICKETT SURFACE AREA REDUCTION!
  99. 99. @WICKETT SURFACE AREA EXPANSION!
  100. 100. @WICKETT SSL / TLS FROM THE PROVIDER
  101. 101. @WICKETT DNS!
  102. 102. @WICKETT LAMBDA + S3 + KINESIS + DYNAMODB + CLOUDFORMATION + API GATEWAY + AUTH0
  103. 103. @WICKETT USE A THIRD-PARTY SERVICE FOR CONFIG CHANGES
  104. 104. @WICKETT ACCESS CONTROL
  105. 105. @WICKETT DELIVERY PIPELINE SECURITY
  106. 106. @WICKETT
  107. 107. @WICKETT UNIT TESTING
  108. 108. @WICKETT
  109. 109. @WICKETT INTEGRATION TESTING
  110. 110. @WICKETT CONFIGURATION IS PART OF DELIVERY
  111. 111. @WICKETT PROVIDER SECURITY ๏ Disable root access keys ๏ Manage users with profiles ๏ Secure your keys in your deploy system ๏ Secure keys in dev system ๏ Use provider MFA
  112. 112. @WICKETT SIMPLE DEPLOY PIPELINE SECURITY ๏ Only dev keys can push to ‘dev’ ๏ Only build/deploy system can push to pre- prod ๏ Integration tests must pass in this env ๏ Security validation must take place ๏ Allow push to prod, only by deploy system
  113. 113. @WICKETT SECURITY INTEGRATION TESTING ๏ BDD-Security - github.com/ continuumsecurity/bdd-security ๏ Gauntlt - gauntlt.org
  114. 114. @WICKETT http://www.slideshare.net/wickett/pragmatic-security-and- rugged-devops-sxsw-2015
  115. 115. @WICKETT DATA FLOW SECURITY ๏ Development ๏ Data Flow Diagrams ๏ Threat modeling ๏ Runtime
  116. 116. @WICKETT Application layer DoS
  117. 117. @WICKETT TIMEOUTS AND EXECUTION RESTRICTIONS
  118. 118. @WICKETT HTTP / HTTPS
  119. 119. @WICKETT ATTACK DETECTION
  120. 120. @WICKETT DEVELOPMENT ๏ Normal OWASP tooling ๏ Language filtering and more
  121. 121. @WICKETT APPSEC PROBLEMS
  122. 122. @WICKETT DEFENSE ๏ Logging, emitting events ๏ Vandium (SQLi) wrapper ๏ Content Security Policy (CSP) ๏ More work needs to be done here…
  123. 123. @WICKETT CONCLUSION ๏ Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. ๏ New serverless patterns are just emerging ๏ Security with serverless is easier ๏ Security with serverless is harder
  124. 124. @WICKETT CONCLUSION (2) ๏ Four key areas apply to serverless security ๏ Software Supply Chain Security ๏ Delivery Pipeline Security ๏ Data Flow Security ๏ Attack Detection
  125. 125. @WICKETT
  126. 126. @WICKETT LET’S TALK! ๏ james@signalsciences.com ๏ @wickett ๏ http://info.signalsciences.com/book

×