I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Semelhante a DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas (20)
Mais de DevSecCon (20)
Mais recentes (20)
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas
- 1. Singapore | 28 Feb - 01 Mar 2019 An Attacker's View of Serverless and GraphQL Apps Sharath Kumar Ramadas
- 2. Singapore | 28 Feb - 01 Mar 2019 About Me • Lead Solutions Engineer • we45 - An AppSec Company • Trainer - DevSecOps, Containers & Serverless • Developer - DVFAAS, Orchestron & ThreatPlayBook • Developer → DevOps → DevSecOps @sharathkramadas @sharathkramadas
- 3. Singapore | 28 Feb - 01 Mar 2019 Agenda • Intro to Serverless • Serverless Attacks • Intro to GraphQL • GraphQL Attacks • Demos
- 4. Singapore | 28 Feb - 01 Mar 2019 SERVERLESS
- 5. Singapore | 28 Feb - 01 Mar 2019 Serverless • Functions deployed as ephemeral containers/vms • Functions As A Service (FAAS) • Event trigger architecture • Supports major runtimes • Python, NodeJS, C#, GO, Ruby • Custom runtime also
- 6. Singapore | 28 Feb - 01 Mar 2019 Serverless Journey
- 7. Singapore | 28 Feb - 01 Mar 2019 Functions
- 8. Singapore | 28 Feb - 01 Mar 2019 Why Serverless? • Pay per usage • No server management • Microservices Friendly • Auto-Scalable • Focus on code/features, don’t worry about servers
- 9. Singapore | 28 Feb - 01 Mar 2019 FAAS Providers
- 10. Singapore | 28 Feb - 01 Mar 2019 Architecture
- 11. Singapore | 28 Feb - 01 Mar 2019 Serverless Use-Cases • ChatBots • Event driven apps • Notification Channels (SMS, Email) • Scheduled Jobs • Product websites • Lot more …..
- 12. Singapore | 28 Feb - 01 Mar 2019 Let’s Deploy!
- 13. Singapore | 28 Feb - 01 Mar 2019 Functions with Events
- 14. Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • Functions are still code • No frameworks involved • Functions as events increases attack surface • Developers are new to servers • Still needs configuration
- 15. Singapore | 28 Feb - 01 Mar 2019 Attackers are Snipers! • Aimed • Committed • Patient • Invisible • Takes clear Shot
- 16. Singapore | 28 Feb - 01 Mar 2019 Claim your expenses
- 17. Singapore | 28 Feb - 01 Mar 2019 Extensive Privileged Functions • Functions with extensive privileges lead to infrastructure compromise • Cloud providers store secrets in plain text • Misconfigured roles can lead to wide spectrum of attacks • Events are most vulnerable due to lack of Authentication and Authorization • Pay per usage model turns out to be expensive.
- 18. Singapore | 28 Feb - 01 Mar 2019 Accenture S3 Breach
- 19. Singapore | 28 Feb - 01 Mar 2019 Fedex Breach
- 20. Singapore | 28 Feb - 01 Mar 2019 Serverless Top 10 • Event data injection • Broken Authentication • Insecure deployment configuration • Over privileged function permissions & roles • Inadequate function monitoring and logging • Insecure 3rd party dependencies • Insecure application secrets storage • DOS and Financial resource exhaustion • Function Execution Flow Manipulation • Improper Exception Handling and Verbose Error Messages
- 21. Singapore | 28 Feb - 01 Mar 2019 Serverless (Security) Best Practices • Functions with minimal access credentials • Remove insecure dependencies before production • Run SAST scans before code commit • Restrict memory usage for a function • Encrypt the secrets avoid environment variables • Use FAAS providers authorization for access control (ex: AWS Cognito) • Write security test cases and run in CI/CD @sharathkramadas
- 22. Singapore | 28 Feb - 01 Mar 2019 GraphQL
- 23. Singapore | 28 Feb - 01 Mar 2019 GraphQL • A query language for API • Tech from Facebook • Query what you want forget about the ‘REST’ • Single endpoint for API calls • Lightweight
- 24. Singapore | 28 Feb - 01 Mar 2019 REST GraphQL VS
- 25. Singapore | 28 Feb - 01 Mar 2019 Terminology • Type • Schema • Query • Mutation • Subscription • Introspection • Schema Stitching
- 26. Singapore | 28 Feb - 01 Mar 2019 Let’s Demo
- 27. Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • No response size limiting • Introspection is nice! • Single endpoint access control
- 28. Singapore | 28 Feb - 01 Mar 2019 Demo Want to get more powers!
- 29. Singapore | 28 Feb - 01 Mar 2019 Mass Assignment • Frameworks allow to save the raw dump of HTTP request data • Attackers can guess the sensitive fields • Sensitive fields can allow to escalate privileges • GraphQL has introspection enabled by default • Introspection leaks the sensitive fields information • GraphQL supports JSON Scalar
- 30. Singapore | 28 Feb - 01 Mar 2019 GitHub Attack
- 31. Singapore | 28 Feb - 01 Mar 2019 Let’s burn few dollars
- 32. Singapore | 28 Feb - 01 Mar 2019 Serverless Cost
- 33. Singapore | 28 Feb - 01 Mar 2019 Resource Exhaustion • aka Denial-Of-Service attack • Overwhelmed requests to crash the server • Causes memory leak and resource exhaust • Serverless + GraphQL = (pay per usage + scale) • 2 million requests * 3 dollar per query = (I will live it to your imagination!)
- 34. Singapore | 28 Feb - 01 Mar 2019 Recent Attack
- 35. Singapore | 28 Feb - 01 Mar 2019 GraphQL (Security) Best Practices • Disable introspection • Disable playground in production • Limit the query size • Depth limiting for nested queries • Avoid scalars use input types
- 36. Singapore | 28 Feb - 01 Mar 2019 Hack It Yourself! https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service
- 37. Singapore | 28 Feb - 01 Mar 2019 Things to consider • OWASP Top 10 • Serverless Top 10 • SAST and SCA tools • Threat-Modeling
- 38. Singapore | 28 Feb - 01 Mar 2019 Key Takeaways • Serverless security is still an application security problem • Roles and Permissions should be well thought of • Secure coding practices need to be followed • Resource limitations is highly recommended
- 39. Singapore | 28 Feb - 01 Mar 2019 Thank You @sharathkramadas @sharathkramadas
