Why You Should Stop Caring About a Server That Isn’t Yours Anymore

WHOAMI?

Ops Perspective of servers

Pets
VS.
Cattle

VS.

SOYLENT

Developers perspective of servers

want

  • unconditional love
  • tasty steak
  • practical nutrition regardless of how bland it tastes

dont want

  • to clean the litter box
  • shovel cow shit
  • to have to mix a bunch of powders in a blender bottle

The meme in the previous slide

Really tied the analogy together

if you want...

  • OnDemand Computing Power
  • Scalable
  • Reasonable Entry Level Cost
  • Relatively Portable Code

stop giving a shit about...

  • How stupid the name serverless is
  • What people will think of you for adopting the latest trend
  • Vendor lock-in
  • The fear of the unknown

Because...

  • Of course there is still a server
  • You missed the container/kubernetes wagon
  • It's really cheap*
  • Vendor lock-in is terrible, but you're smart

So...embrace serverless!

because of course a computer is running your code you just have time/money to make that code even better!

What It Means When You Don’t Have to Worry About The Server


"The purpose of abstraction is not to be vague, but to create a new semantic level in which one can be absolutely precise" -  Edsger Dijkstra

layers of abstraction

  • OnPrem/Colocation
  • Infrastructure (aaS)
  • Containers (aaS)
  • Platform (aaS)
  • Functions (aaS)

how is serverless/faas unique?

  • No server management
  • Flexible scaling
  • High availability
  • No idle capacity, pay for what you use*​
  • *Unlogged and *free* background processes
  • *Temporal availability of CPU on invocation

serverless =

FaaS (event driven compute) + BaaS (managed data services)

Trading control for responsibility

so...security should pack it up?

notice what's missing?

source: snyk.io

Who’s Server is it Now?

IBM Cloud Functions

zeit.co - now

hyper.sh

How To Just Let GO...

It's not a calculated risk if you are bad at math

Watch out he's got a github repo

www.lambdashell.com

www.lambdashell.com

Results

  • No * actions allowed
  • $1k bounty fail
  • App Vuln => AWS Keys
  • AWS Keys != Game Over

What can I do with this AWS Keypair [blackbox]?

Understand the risks of serverless....

Step one

  • Get AWS Keys

Step two

  • Run some aws cli commands
  • aaws s3 Sync/LS/Rm/Cp
  • aws rds Describe/Create/Modify
  • aws dynamodb Scan/List/Query/Get
  • aws ses Send/Get/List
  • aws lambda Invoke/Update/List/Put
  • aws sts AssumeRole

aws Serverless Hacking

Caution using frameworks

your code doesn't just mean the code you wrote

mitigate the risks

Conclusion

It's talk like a pirate day!

  • Devlopers 'n testers o'er security specialists
  • Build security while we work, nah as an afterthought
  • Secure implementation o'er security features
  • Mitigate risks afore identifyin' more bugs

AppSec Pirate Manifesto

serverlessdaysLA-Meetup-09-19-2018

By Cody Sparky Wood