Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod - - PowerPoint PPT Presentation

securing serverless by breaking in
SMART_READER_LITE
LIVE PREVIEW

Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod - - PowerPoint PPT Presentation

May 27, 2023 45 likes •345 views

Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod snyk.io About Me Guy Podjarny, @guypod on Twitter CEO & Co-founder at Snyk History: Cyber Security part of Israel Defense Forces First Web App Firewall

slide-1
SLIDE 1

snyk.io

Securing Serverless - 
 By Breaking In

Guy Podjarny, Snyk @guypod

slide-2
SLIDE 2

snyk.io

About Me

  • Guy Podjarny, @guypod on Twitter
  • CEO & Co-founder at Snyk
  • History:
  • Cyber Security part of Israel Defense Forces
  • First Web App Firewall (AppShield), Dynamic/Static Tester (AppScan)
  • Security: Worked in Sanctum -> Watchfire -> IBM
  • Performance: Founded Blaze -> CTO @Akamai
  • O’Reilly author, speaker
slide-3
SLIDE 3

snyk.io

Serverless Security: The Theory


(talk from ServerlessConf)

https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security

slide-4
SLIDE 4

snyk.io

Today - straight to practice!

slide-5
SLIDE 5

snyk.io

Agenda

  • Show a demo serverless app
  • Hack it
  • Explain the security flaws and how to fix them
  • Summary
  • Q&A
slide-6
SLIDE 6

snyk.io

Going Terminal…

slide-7
SLIDE 7

snyk.io

Vulnerable Libraries

slide-8
SLIDE 8

snyk.io

Example: Fetch file & store in s3 (Serverless Framework Example)

19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) 191,155 Lines of Code

slide-9
SLIDE 9

snyk.io

slide-10
SLIDE 10

snyk.io

Serverless does secure
 OS dependencies

Just not app dependencies

slide-11
SLIDE 11

snyk.io

  • 1. Beware Vulnerable Libraries


(test during dev, monitor over time)

slide-12
SLIDE 12

snyk.io

Side Note:
 Snyk isn’t only for Serverless

slide-13
SLIDE 13

snyk.io

Denial of Service

slide-14
SLIDE 14

snyk.io

  • 2. ReDoS can still be costly


(won’t take you down, but can hike up bill)

slide-15
SLIDE 15

snyk.io

Beware
 Resource Exhaustion Attacks

Not all your services elastically scale

slide-16
SLIDE 16

snyk.io

Secrets

slide-17
SLIDE 17

snyk.io

  • 3. Avoid secrets in deployed code


(env variables aren’t enough - Use a KMS!)

slide-18
SLIDE 18

snyk.io

Serverless platforms offer a
 Key Management System

Just use it!

slide-19
SLIDE 19

snyk.io

Granularity

slide-20
SLIDE 20

snyk.io

  • 4. Deploy granular functions


(shared function code = greater exposure)

slide-21
SLIDE 21

snyk.io

AWS Security Policy

Easier

Policy 3 Policy 2 Policy 1

Safer

slide-22
SLIDE 22

snyk.io

Permissions

slide-23
SLIDE 23

snyk.io

  • 5. Use Granular Policies


(only allow each function its minimum permissions)

slide-24
SLIDE 24

snyk.io

A function is a perimeter

That needs to be secured

Perimeter Perimeter Perimeter Perimeter Perimeter

slide-25
SLIDE 25

snyk.io

Immutability

slide-26
SLIDE 26

snyk.io

  • 6. Don’t rely on immutability


(Lambda - and others - reuse servers)

slide-27
SLIDE 27

snyk.io

Serverless user is typically
 Low Privilege

Reducing impact substantially, but not eliminating it

slide-28
SLIDE 28

snyk.io

  • 7. Worry about all functions


(Every available function increases your attack surface)

slide-29
SLIDE 29

snyk.io

Security in Serverless

Vulnerabilities in your code Vulnerable App Dependencies Permissions Securing Data at rest Vulnerable OS Dependencies Denial of Service Long-lived Compromised Servers Third Party Services Attack Surface Security Monitoring

Better Neutral Worse

slide-30
SLIDE 30

snyk.io

Serverless is defined now.
 Let’s build Security in.

Thank You! Guy Podjarny, Snyk @guypod

More to come: 
 Microservices Panel, Mon, 5:25pm
 Serverless AMA, Wed, 2:55pm