securing serverless and container services
play

Securing Serverless and Container Services Marc Schrter AWS DevOps - PowerPoint PPT Presentation

Nov 24, 2022 •10 likes •410 views

Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions

  1. Securing Serverless and Container Services Marc Schröter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors

  2. Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions Cloud Security Container Security and Managing the full Compliance Controls container life cycle

  3. What is serverless, and how does it impact your approach to security?

  4. What is serverless? Shift operational responsibilities to AWS Increasing your agility and innovation

  5. No infrastructure provisioning, Automatic scaling no management Pay for value Highly available and secure

  6. COMPUTE AWS AWS Lambda Fargate DATA STORES Amazon Amazon Aurora AWS S3 Serverless DynamoDB INTEGRATION Amazon Amazon Amazon Amazon API Gateway SQS SNS Step Functions

  8. Serverless Risks - OWASP A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities (XXE) A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using Components with Known Vulnerabilities A10: Insufficient Logging and Monitoring

  9. Serverless Risks - CSA SAS-1: Function Event Data Injection SAS-2: Broken Authentication SAS-3: Insecure Serverless Deployment Configuration SAS-4: Over-Privileged Function Permissions & Roles SAS-5: Inadequate Function Monitoring and Logging SAS-6: Insecure Third-Party Dependencies SAS-7: Insecure Application Secrets Storage SAS-8: Denial of Service & Financial Resource Exhaustion SAS-9: Serverless Business Logic Manipulation SAS-10: Improper Exception Handling and Verbose Error Messages SAS-11: Obsolete Functions, Cloud Resources and Event Triggers SAS-12: Cross-Execution Data Persistency

  10. Serverless Risk Categorization Application Code & Deployment Serverless Platform Misc.Risks App Logic Risks Configurations Risks Risks DoS Injection Security misconfiguration Broken access control Unused functions Broken Authentication Overprivileged permission Inadequate Monitoring Data Persistency Sensitive data exposure Insecure secrets storage XSS, XXE Insecure deserialization Known vulnerabilities Improper exception handling

  11. A1: Injection

  12. Injection

  13. Injection ● Use Web Application Firewall ● Validate data based on schemas and data transfer objects ● Always use an ORM ● Escape special characters ● Use least privileges ● Consider all event types and entry points into the system ● Use a commercial runtime defense solution

  14. A2: Broken Authentication

  15. Broken Authentication ● AWS Cognito or Single Sign-On ● API Gateway Access control ○ API keys ○ Usage plans ○ AWS IAM roles and policies ○ Amazon Cognito user pools ○ Lambda authorizer functions ● Service authentication between internal resources ○ SAML, OAuth2, Security Tokens ○ Encrypted channels ○ Password and key management ○ Client certificate ○ OTA/2FA

  16. A3: Sensitive Data Exposure

  17. Sensitive Data Exposure ● Identify and classify sensitive data ● Minimize storage of sensitive data ● Protect data at rest and in transit ● Use HTTPS only endpoints for APIs ● Key management ● Encryption of stored data ● Secret Management ● Environment variables encryption

  18. A5: Broken Access Control

  19. Broken Access Control Fine grained access control POST customers table GET orders table DELETE Amazon API Gateway queue

  20. Broken Access Control Follow least-privilege

  21. Broken Access Control Automate permission configuration

  22. Broken Access Control Automate permission configuration

  23. Broken Access Control Automate security testing of IaC CF Script Pull CF Script from S3 S3 Event for stack CREATE/UPDATE Notify on failure CloudFormation Lambda CloudWatch SES

  24. Broken Access Control Analyze IAM access patterns programmatically

  25. Broken Access Control Analyze IAM access patterns programmatically

  26. Broken Access Control Follow AWS IAM Best Practices

  27. A7: Security Misconfiguration

  28. Security Misconfiguration ● Enforce access control ● Providers security best practices ● Check for functions with unlinked triggers ● Resources that appear in policies but are not linked back to the function ● Set timeouts to the minimum required by the function ● Use automatic tools that detect security misconfigurations

  29. A7: Known Vulnerabilities

  30. Known Vulnerabilities ● Continuously monitor dependencies and their versions ● Only obtain components from official sources ● Continuously monitor sources like CVE and NVD ● Platform based advisories like NodeSecurity, PyUp, OWASP SafeNuGet, etc. ● Scan dependencies for known vulnerabilities ○ OWASP Dependency Check ○ GitHub Security Alerts ○ Gitlab Dependency Scanning ○ WhiteSource

  31. Serverless Security Demo

  32. Serverless Security Demo 1. Information Gathering 2. Function Reverse Engineering 3. Digging For Gold Inside Environment Variables 4. Exploiting Over-Privileged IAM Roles 5. Abusing Insecure Cloud Configurations 6. Finding Known Vulnerabilities In Open Source Packages

  33. Security for Amazon Kubernetes Cluster

  34. Encrypt communication ● Between web clients and your loadbalancer ○ Use the application loadbalancer (ALB) ○ Can be achieved with the ALB-Ingress-Controller ○ ALB provides routing and security options for the application layer ● Between your loadbalancer and pod ○ Encryptions support of your application or application server ○ Run a sidecar on your pod which performs encryption ○ Run a complete service mesh like Istio ● Between your pod and your AWS RDS database

  35. Encrypt storage ● Databases ● Persistent Volume Claims (PVC)

  36. Restrict inbound and outbound traffic ● Use network policies ● Network Policy engine (Calico)

  37. More EKS Security Tips ● Use a firewall to block known web attacks ● Protect yourself from DDos attacks ● Secure your AWS account ● Use namespaces and secrets ● Cyber attack detection ● Review your security setup ● Scan your container images ○ Aqua Security Microscanner ○ CoresOS Clair ○ Anchore engine

  38. Container DevSecOps

  39. AWS Cloud9 7. Adds feedback to 6. Triggers Lambda 1.Pull Request Pull Request Function Amazon CloudWatch AWS CodeCommit AWS Lambda Developer Event Rule (Application Repo) Function 2. Triggers 5. CodeBuild Success/Failure CodePipeline triggers Rule AWS CodePipeline VULNERABILITY PUBLISH IMAGE PULL REQUEST DOCKER LINTING SECRETS SCANNING SCANNING Configs Development AWS CodeBuild AWS CodeBuild AWS CodeBuild AWS CodeBuild 4. Builds and pushes 3. Pushes vulnerabilities Image to ECR to Security Hub AWS Security Hub Amazon ECR

  40. Build with services not servers Ahhhh and we are hiring globaldatanet mail@globaldatanet.com globaldatanet globaldatanet.com

Recommend

Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

22.05.2018 Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software Engineer on Arm. OpenStack Zun Core Reviewer kevin.zhao@arm.com Agenda What is Serverless Container Cloud Demo Zun and Container

750 views • 35 slides
Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
Serverless On Your Own Terms Using Knative Context Serverless more than Function Serverless

Serverless On Your Own Terms Using Knative Context Serverless more than Function Serverless

Serverless at Google @mchmarny Serverless On Your Own Terms Using Knative Context Serverless more than Function Serverless Models Operator No Infra Management Managed Security Pay only for usage Developer Service-based Event-driven Open

1.06k views • 51 slides
Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod snyk.io About Me Guy

Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod snyk.io About Me Guy

Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod snyk.io About Me Guy Podjarny, @guypod on Twitter CEO & Co-founder at Snyk History: Cyber Security part of Israel Defense Forces First Web App Firewall

345 views • 30 slides
How Serverless Changes the IT Department Paul Johnston Opinionated Serverless Person

How Serverless Changes the IT Department Paul Johnston Opinionated Serverless Person

How Serverless Changes the IT Department Paul Johnston Opinionated Serverless Person Serverless all the things Medium/Twitter: @PaulDJohnston Velocify Conf London 2018 Paul Johnston Experienced Interim CTO and Serverless Consultant

1.11k views • 63 slides
Lunch and Learn John McKim @johncmckim Software Engineer A Cloud Guru Serverless Framework

Lunch and Learn John McKim @johncmckim Software Engineer A Cloud Guru Serverless Framework

Lunch and Learn John McKim @johncmckim Software Engineer A Cloud Guru Serverless Framework Contributor Serverless Framework https://serverless.com What is Serverless? Functions as a Service Properties of FaaS Services Function as unit of

570 views • 12 slides
Serverless Gardens IoT + Serverless johncmckim.me twitter.com/@johncmckim

Serverless Gardens IoT + Serverless johncmckim.me twitter.com/@johncmckim

Serverless Gardens IoT + Serverless johncmckim.me twitter.com/@johncmckim medium.com/@johncmckim John McKim Software Engineer at A Cloud Guru Contribute to Serverless Framework @johncmckim https://acloud.guru Serverless Framework

814 views • 50 slides
Functions as a Service (a.k.a. Serverless functions) Func unctio tions ns-as as-a-Ser

Functions as a Service (a.k.a. Serverless functions) Func unctio tions ns-as as-a-Ser

Functions as a Service (a.k.a. Serverless functions) Func unctio tions ns-as as-a-Ser Service vice Recall PaaS Treats servers and computation like electricity (i.e. a commodity consumed on-demand) No VM or container to manage

482 views • 21 slides
Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container

Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container

Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container Amazon ECS VMWare Cloud on AWS Registry Amazon Lightsail AWS Outposts AWS Batch Container Functions (Serverless Compute) Amazon ECS* AWS

347 views • 15 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
Databases Gone Serverless Alkin Tezuysal (@ask_dba) Sr. Technical Manager, Percona Who am I?

Databases Gone Serverless Alkin Tezuysal (@ask_dba) Sr. Technical Manager, Percona Who am I?

Databases Gone Serverless Alkin Tezuysal (@ask_dba) Sr. Technical Manager, Percona Who am I? @ask_dba 2 Agenda Serverless Architectures Serverless Solutions in Database World Wheres Serverless technology going? 3 What does

796 views • 20 slides
Kotlin Serverless Framework Vladislav Tankov What is serverless? cloud-computing execution model

Kotlin Serverless Framework Vladislav Tankov What is serverless? cloud-computing execution model

Kotlin Serverless Framework Vladislav Tankov What is serverless? cloud-computing execution model , in which the cloud provider runs the server and dynamically manages the allocation of machine resources Wikipedia How are serverless

995 views • 46 slides
Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud

Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud

Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud Provider Mohammad Shahrad , Rodrigo Fonseca , igo Goiri, Gohar Chaudhry, Paul Batum, Jason Cooke, Eduardo Laureano, Colby Tresness, Mark

2.05k views • 39 slides
FaaS You Like It! @ewanslater Serverless CNCF Definition Serverless computing refers to

FaaS You Like It! @ewanslater Serverless CNCF Definition Serverless computing refers to

FaaS You Like It! @ewanslater Serverless CNCF Definition Serverless computing refers to the concept of building and running applications that do not require server management . It describes a finer-grained deployment model where

613 views • 45 slides
Baltic Container Terminal (BCT) Gdynia, Poland International Container Terminal Services Inc. 1

Baltic Container Terminal (BCT) Gdynia, Poland International Container Terminal Services Inc. 1

Baltic Container Terminal (BCT) Gdynia, Poland International Container Terminal Services Inc. 1 BCT Value Proposition 1 Strategic Location Gdynia is located within the Baltic-Adriatic Corridor (corridor VI), one of the most important

494 views • 11 slides
The Hitchhikers Guide to Serverless JavaScript Steve Faulkner @southpolesteve

The Hitchhikers Guide to Serverless JavaScript Steve Faulkner @southpolesteve

The Hitchhikers Guide to Serverless JavaScript Steve Faulkner @southpolesteve Director of Engineering Serverless Serverless there are still servers servers platforms! * as a Service Database-aaS Caching-aaS

1.12k views • 87 slides
Catalyst Ubers Serverless Platform Shawn Burke - Staff Engineer Uber Seattle Why Serverless?

Catalyst Ubers Serverless Platform Shawn Burke - Staff Engineer Uber Seattle Why Serverless?

Catalyst Ubers Serverless Platform Shawn Burke - Staff Engineer Uber Seattle Why Serverless? Complexity! Microservices, Languages, Client Libs, Tools Product teams have basic infrastructure needs Stable, consistent app

372 views • 15 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
Stateful Serverless Sean Walsh @SeanWalshEsq We predict that Serverless Computing will grow

Stateful Serverless Sean Walsh @SeanWalshEsq We predict that Serverless Computing will grow

Towards Stateful Serverless Sean Walsh @SeanWalshEsq We predict that Serverless Computing will grow to dominate the future of Cloud Computing. - Berkeley CS Department Cloud computing simplified: a Berkeley view on serverless computing

748 views • 40 slides
F AASM : Lightweight Isolation for Efficient Stateful Serverless Computing Simon Shillaker and

F AASM : Lightweight Isolation for Efficient Stateful Serverless Computing Simon Shillaker and

F AASM : Lightweight Isolation for Efficient Stateful Serverless Computing Simon Shillaker and Peter Pietzuch Large-scale Data and Systems Group, Imperial College London Serverless Big Data Vision Serverless functions Application Big data

431 views • 30 slides
Serverless Boom or Bust? An Analysis of Economic Incentives Xiayue Charles Lin, Joseph E.

Serverless Boom or Bust? An Analysis of Economic Incentives Xiayue Charles Lin, Joseph E.

Serverless Boom or Bust? An Analysis of Economic Incentives Xiayue Charles Lin, Joseph E. Gonzalez, Joseph M. Hellerstein UC Berkeley HotCloud 2020 Monday, July 13 An Economic Model for Serverless Serverless: pay for consumption instead of

160 views • 14 slides
Serverless Microservices Are The New Black Lorna Mitchell, IBM Serverless FaaS: Functions as a

Serverless Microservices Are The New Black Lorna Mitchell, IBM Serverless FaaS: Functions as a

Serverless Microservices Are The New Black Lorna Mitchell, IBM Serverless FaaS: Functions as a Service write a function (many languages supported) deploy it to the cloud (Lambda, Cloud Functions, etc) only pay while the function is

519 views • 28 slides
cloudstate.io serverless 2.0 with cloudstate Sean Walsh | Field CTO and Cloud Evangelist @

cloudstate.io serverless 2.0 with cloudstate Sean Walsh | Field CTO and Cloud Evangelist @

cloudstate.io serverless 2.0 with cloudstate Sean Walsh | Field CTO and Cloud Evangelist @ Lightbend We predict that serverless computing will grow to dominate the future of cloud computing. Berkely CS Department why serverless 2.0?

701 views • 38 slides
ANATOMY OF A SERVERLESS GITHUB BOT How we built a serverless GitHub bot using Azure for the

ANATOMY OF A SERVERLESS GITHUB BOT How we built a serverless GitHub bot using Azure for the

ANATOMY OF A SERVERLESS GITHUB BOT How we built a serverless GitHub bot using Azure for the Microsoft hackathon. https://github.com/Chris- Johnston/PublishScheduler 1 $ WHOAMI Im Chris Johnston. Im a Software Engineer at Microsoft,

655 views • 28 slides

More recommend