An OWASP SAMM Perspective on Serverless Computing

© 2019 Denim Group – All Rights Reserved
Building a world where technology is trusted.
An OWASP SAMM Perspective
on Serverless Computing
February 20, 2019
Ory Segal | CTO PureSec
Dan Cornell | CTO Denim Group

Agenda
• Introduction
• Overview of Serverless Computing Security
• Attack surfaces
• Top risks
• Limitations of traditional solutions
• OWASP SAMM and Serverless
• OWASP SAMM 1.5 overview
• Integrating serverless security into OWASP
SAMM
• Questions
1

Overview of Serverless
Computing Security

Compute as Utility

Serverless Benefits
No servers to manage
Continuous scaling
Sub-second metering
{ f(x) }
Less security responsibilities

Shared Model Of Responsibility
CLOUD
PROVIDER
RESPONSIBLE FOR
SECURITY “OF”
THE CLOUD
REGIONS
AVAILABILITY
ZONES
EDGE LOCATIONS
COMPUTE STORAGE DATABASE NETWORK
OPERATING SYSTEM + VIRTUAL MACHINES + CONTAINERS
APPLICATION
OWNER
RESPONSIBLE FOR
SECURITY “IN” THE
CLOUD
APPLICATIONS (FUNCTIONS)
IDENTITY & ACCESS
MANAGEMENT
CLOUD SERVICES
CONFIGURATION
CLIENT-SIDE DATA IN CLOUD DATA IN TRANSIT

Security Responsibilities: IaaS vs. FaaS
6

EVENT TRIGGER
DEPLOY
E V E N T S O U R C E S
…
INTERACTIONS
REST API
C L O U D R E S O U R C E S
CODE
CODE
REPOSITORY
EVENT
SOURCES
CLOUD
RESOURCES
OUTPUT
SERVERLESS
BASICS
FUNCTION
{;}

EVENT
SOURCES
CLOUD
RESOURCES
EVENT-DATA
INJECTION
UNAUTHORIZED
DEPLOYMENT
DEPENDENCY
POISONING
TAMPER WITH
DATA
SERVERLESS
ATTACK
SURFACES
COMPROMISE DATA
BUSINESS LOGIC ABUSE
BYPASS AUTHENTICATION
LEAK SECRETS
DENIAL OF SERVICE
CODE EXECUTION
...
CODE
REPOSITORY
FUNCTION
{;}

The Need For Serverless-Native
Protection
Protects applications by
being deployed on networks
and servers
TRADITIONAL SECURITY
The application owner doesn't
have any control over the
infrastructure
SERVERLESS
TRADITIONAL SECURITY SOLUTIONS HAVE BECOME
UNSUITABLE

INFRASTRUCTURE
SERVERLESS
FUNCTIONS W A F
L A Y E R 7
N G - F W
I N B O U N D
W S G
O U T B O U N D
I P S
N E T W O R K
E P P
B E H A V I O R A L
A P P L I C A T I O N
Traditional Protections Cannot Be
Deployed On Serverless
With No Infrastructure Based Protections,
Your App Security is Reduced to
Good Coding and Strict Configuration

Top 12 Most Critical Risks for
Serverless Applications 2019
• A collaborative effort between PureSec and the CSA
• The most extensive work done on mapping the risks and
mitigations for serverless applications
• SAS-1: Function Event Data Injection
• SAS-2: Broken Authentication
• SAS-3: Insecure Serverless Deployment Configuration
• SAS-4: Over-Privileged Function Permissions & Roles
• SAS-5: Inadequate Function Monitoring and Logging
• SAS-6: Insecure Third-Party Dependencies
• SAS-7: Insecure Application Secrets Storage
• SAS-8: Denial of Service & Financial Resource Exhaustion
• SAS-9: Serverless Business Logic Manipulation
• SAS-10: Improper Exception Handling and Verbose Error Messages
• SAS-11: Obsolete Functions, Cloud Resources and Event Triggers
• SAS-12: Cross-Execution Data Persistency
http://bit.ly/csa-top-12

PureSec Serverless Security Platform:
End-to-End Protection for Serverless
Controls the perimeter of each
function in order to prevent
malicious input from entering
Serverless Application Firewall
Controls the function behavior
in order to ensure the function
behaves as intended
Adaptive, uses machine learning
Analyzes each function to
discover known vulnerabilities
and misconfigurations
Static analysis algorithms
During CI/CD When Being Invoked During Execution
Deep unparalleled
visibility

OWASP SAMM
and Serverless

OWASP SAMM 1.5 Overview
• OWASP Flagship Project
• “Open framework to help organizations
formulate and implement a strategy for
software security that is tailored to the
specific risks facing the organization”
https://www.owasp.org/index.php/OWASP_SAMM_Project
14

OWASP SAMM Structure
15

Ranking Maturity
16

Serverless and OWASP SAMM
• Governance
• Construction
• Verification
• Operations
17

Serverless and Governance
• Strategy & Metrics
• Policy & Compliance
• Education & Guidance
18

Serverless: Strategy & Metrics
• Understand that Serverless
moves even more agency
away from network/ops staff
to developers
• How do your current data
classification and application
risk-ranking methodologies
translate to Serverless?
• How do your established
security metrics translate to a
Serverless environment?
19

Serverless: Policy & Compliance
• Characterize which workloads and data
are acceptable to be pushed to Serverless
environments
• Plan to characterize use of Serverless to
auditors
• Leverage platform tools to characterize
compliance-critical concerns like IAM
configurations
20

Serverless: Education & Guidance
• Provide reference architecture –
with security controls – to teams
adopting serverless
• Environment- and language-
specific secure coding
guidelines for Serverless
• Current training comes in the
form of conference talks and
blogs – less mature vs. other
areas
21

Serverless and Construction
• Threat Assessment
• Security Requirements
• Secure Architecture
22

Serverless: Threat Assessment
• Enumerate likely attacks against
Serverless portions of systems
• Establish a threat model
template for Serverless system
components
• Challenges for
naive/unsophisticated attackers
vs. web applications
• Large VPCs – greater concerns
about insider threats
23

Serverless: Security Requirements
• How does your current security
requirements process translate to
Serverless environments?
• Build explicit access controls matrices for
Serverless components of systems
24

Serverless: Secure Architecture
• Leverage a cloud reference architecture
for Serverless components – with explicit
security guidance
• You have the ability to provide very fine-
grained architectural security controls
• Accounts, VPCs, private networks
• You can also really mess things up
25

Serverless and Verification
• Design Review
• Implementation Review
• Security Testing
26

Serverless: Design Review
• Person leading this needs to be
“smart” about a number of topics
• Ensure that Serverless components
are include in application attack
surface reviews
• Platform administration tools can
help with this attack surface
enumeration
• Incorporate use of platform-specific
security controls into review of
Serverless components
27

Serverless: Implementation Review
• Adapt code review
practices to work for
Serverless
components
• Environment-specific
• Language-specific
• Adopt code review
tools that are effective
in Serverless
environments
28

Serverless: Security Testing
• Adapt application testing
practices to work for
• Environment-specific
concerns
• Adopt application testing
tools that are effective in
Serverless environments
• Not a lot of great fuzzers at
this point
• There are decent
configuration testing tools
out there
29

Serverless and Operations
• Issue Management
• Environment Hardening
• Operational Enablement
30

Serverless: Issue Management
• Make sure issue and incident response
plans include required access to
• Track metrics for Serverless involvement
in incidents and compromise
31

Serverless: Environment Hardening
• Be happy that you no longer have to patch
servers!
• Provide platform-specific guidance to teams for
hardening Serverless components
• Automate hardening and verification into
deployment and update process for Serverless
environments
• Leverage API gateways for rate-limiting and other
controls
32

Serverless: Operational Enablement
• Likely a new set of people who need to be
involved – more developers/DevOps
• Incorporate Serverless logging into overall
security monitoring practice
• Integrate Serverless change management
into overall application change
management processes
33

Questions

Building a world where technology is trusted.
@denimgroup
www.denimgroup.com
35
ory@puresec.io
dan@denimgroup.com

An OWASP SAMM Perspective on Serverless Computing

More Related Content

What's hot

Similar to An OWASP SAMM Perspective on Serverless Computing

More from Denim Group

Recently uploaded

An OWASP SAMM Perspective on Serverless Computing