Why You Should Stop Caring About a Server That Isn’t Yours Anymore
WHOAMI?
- AppSec FTW!
- Late to the Game
- Anti-Compliance
- About me: https://sprky.co/dywood
- Past and {this} talk: https://sprky.co/talks/
Ops Perspective of servers
Pets
VS.
Cattle
VS.
SOYLENT
Developers perspective of servers
want
- unconditional love
- tasty steak
- practical nutrition regardless of how bland it tastes
dont want
- to clean the litter box
- shovel cow shit
- to have to mix a bunch of powders in a blender bottle
The meme in the previous slide
Really tied the analogy together
if you want...
- OnDemand Computing Power
- Scalable
- Reasonable Entry Level Cost
- Relatively Portable Code
stop giving a shit about...
- How stupid the name serverless is
- What people will think of you for adopting the latest trend
- Vendor lock-in
- The fear of the unknown
Because...
- Of course there is still a server
- You missed the container/kubernetes wagon
- It's really cheap*
- Vendor lock-in is terrible, but you're smart
So...embrace serverless!
because of course a computer is running your code you just have time/money to make that code even better!
What It Means When You Don’t Have to Worry About The Server
"The purpose of abstraction is not to be vague, but to create a new semantic level in which one can be absolutely precise" - Edsger Dijkstra
layers of abstraction
- OnPrem/Colocation
- Infrastructure (aaS)
- Containers (aaS)
- Platform (aaS)
- Functions (aaS)
how is serverless/faas unique?
- No server management
- Flexible scaling
- High availability
- No idle capacity, pay for what you use*
- *Unlogged and *free* background processes
- *Temporal availability of CPU on invocation
serverless =
FaaS (event driven compute) + BaaS (managed data services)
Source: Nicolas Dao @neap.co
Trading control for responsibility
so...security should pack it up?
notice what's missing?
source: snyk.io
Who’s Server is it Now?
IBM Cloud Functions
zeit.co - now
hyper.sh
How To Just Let GO...
It's not a calculated risk if you are bad at math
Watch out he's got a github repo
www.lambdashell.com
www.lambdashell.com
Results
- No * actions allowed
- $1k bounty fail
- App Vuln => AWS Keys
- AWS Keys != Game Over
What can I do with this AWS Keypair [blackbox]?
Understand the risks of serverless....
Step one
- Get AWS Keys
Step two
- Run some aws cli commands
- aaws s3 Sync/LS/Rm/Cp
- aws rds Describe/Create/Modify
- aws dynamodb Scan/List/Query/Get
- aws ses Send/Get/List
- aws lambda Invoke/Update/List/Put
- aws sts AssumeRole
aws Serverless Hacking
Caution using frameworks
your code doesn't just mean the code you wrote
mitigate the risks
Conclusion
It's talk like a pirate day!
- Devlopers 'n testers o'er security specialists
- Build security while we work, nah as an afterthought
- Secure implementation o'er security features
- Mitigate risks afore identifyin' more bugs
AppSec Pirate Manifesto
serverlessdaysLA-Meetup-09-19-2018
By Cody Sparky Wood
Private