Serverless Applications,

Containers and Security

Anderson Dadario, CISSP, CSSLP
dadario.com.br | @andersonmvd
Founder of Gauntlet.io

2
Cool stuff well talk about
- Containers
- Serverless Applications

3
Who am I?
Official (ISC) CSSLP Instructor
Founder of Gauntlet.io
Loves Software {Engineering,Security}

4
Simple deployment flow
How it works

Code Repository Users

(GIT, SVN, Server
Mercurial, etc)

Developer

5
Simple deployment flow
How it works

Code Repository Users

(GIT, SVN, Server
Mercurial, etc)

Developer Shared Private

6
Shared server

7
Shared server The Server

Your User

8
Shared server The Server

Your User

Security

- The weakest link breaks the chain

- Increased attack surface
- See dirty cow vulnerability

9
Private server

10
Private server Hypervisor (AWS / Google Cloud / Etc)

Your Server

Your User

11
Private server Hypervisor (AWS / Google Cloud / Etc)

Security

- The weakest link breaks the chain

- Decreased attack surface
- But Hypervisor may have Your Server
security flaws as well

Your User

12
Setting up your private rerver

Manually connect
through SSH & Go Nuts

13
 Setting up your private rerver
Security

- Its Ad hoc, non repeatable

- Requires a different security
approach for every server, as
theyre likely to be different
- Creates high technical debt

Manually connect
through SSH & Go Nuts

14
 Use CM Tools

... OR ...

Use Configuration
Management (CM) Tools

15
 Use CM Tools
Security

- Chef & Puppet use agents &

servers that need to be secured /
tested
... OR ...
- Server recipes make the process
repeatable
- Security needs to audit every
recipe
Use Configuration
Management (CM) Tools

16
Ansible example
---
- hosts: server Thats the
sudo: yes
sudo_user: root Infrastructure as
tasks:
Code (IaC) concept.
- name: install mysql-server
apt: name=mysql-server state=present
update_cache=yes

- name: Ensure mysql is running

service: name=mysql state=started

17
 Use cloud provider server images

... OR ...

18
 Use cloud provider server images
Security

- Only go to a cloud provider you trust. Its

like Google, theyll hold your important
assets and data
... OR ...
- Their images may be tampered, so make
sure you trust them first
- You still need to configure (and secure)
your application deploy process
- Enable 2FA

19
 Use a Platform as a Service (PaaS)

... OR ...
Platform as a Service (PaaS) -
(Send them your code and let
them manage the servers)

20
 Use a Platform as a Service (PaaS)
Security

- Its all about trust and Vendor Risk

Assessment. Youre as secure as your
PaaS provider as long as you dont
... OR ...
mess up with your personal security
(leak passwords, use weak passwords,
etc)
- Review every server requirements, Platform as a Service (PaaS) -
read everything they offer for security
(Send them your code and let
- Enable 2FA them manage the servers)

21
22
 Or go with Containers

... OR ...

Containers

23
Its like Debians chroot on
steroids!
Isolation with LESS overhead
Faster deploys
s

Faster developer onboarding

in
lla

Defense-in-depth mechanism
Vi

24
How a container is born

builds a generates

Dockerfile Docker Image Docker Containers

25
 How a container is born
Dockerfile Run Container

FROM ubuntu:14.04 $ docker run --name redis -d AndersonDadario/redis

RUN apt-get update && apt-get install -y redis-server
EXPOSE 6379
ENTRYPOINT
builds a
["/usr/bin/redis-server"]
generates

Build Image

$ docker build -t AndersonDadario/redis .

Dockerfile Docker Image Docker Containers

26
What is in a container
A container is a server with its own:
IP Address
Network
File system
Etc
Docker Containers

27
Two major ways to use containers
Microservices
Thin Containers
One process per Container
Monolithic
Fat Containers
Multiple processes per Container
Looks like a Virtual Machine (VM)
28
Typical flow with Containers

Image
Database of
Images

29
What can you do about security?
- Keep Docker Up-to-date
- Harden Docker Daemon
- Dont run containers as root
- And dont let users easily become root
- Remove SUID flags / SUDO
- Dont put sensitive files in your container
- Audit Dockerfiles
30
What can you do about security?
- Reduce Container Capabilities
- Avoid images without Dockerfile
- As you cant check whats inside so easily, e.g.,
look for backdoors
- Only install an image if you trust
- If possible verify
- Limit Container Usage (Memory/Etc) Anti-DoS
31
What can you do about security?
- Run security scanners on images
- Docker Security Scanning (Paid)
- CoreOS Clair (Open Source)
- Consider using a Container Security Platform
- Evaluated by Gartner:
- Aqua Security, CloudPassage, Docker, Magnetic.io,
Twistlock, Weaveworks
32
Enough about containers
Time is finite after all
.
.
Show me the Serverless Stuff

33
Serverless Applications

34
The Challenge
- Case Study: Dadarios Learning Platform
- Build a Serverless Application with:
- Authentication
- Authorization
- Payment Processing

35
Authentication Authentication Provider

cate
s er authenti
(3) U 0
on Auth

(4) After login, redirect

(1) GET login page user back to site with
his/her account info.

(2) Login page

with Auth0 JS

Users
dadario.com.br

36
Authorization Authentication Provider

cate
s er authenti
(3) U 0
on Auth

(4) After login, redirect

(1) GET login page user back to site with
his/her account info.

(2) Login page The account information includes

with Auth0 JS the path to each video playlist url
(hard to guess), thus there is no
Users authorization on the client side.
dadario.com.br

37
 User Database

Payment Processing
Payment Provider
g
s e r p ay usin
(3) U l
PayPa

(4) After success, PayPal

notifies an AWS API
(1) Pay course Gateway endpoint,
which runs an AWS (5) Lambda verifies
Lambda function. if request came
(2) Redirect to from PayPal and
PayPal the payment was
ok, then update
user account with
Users dadario.com.br
video playlists.

38
But there are Limitations
- Few languages available
- Cant include all libraries
- Need automation to organize multiple
functions

For some needs its a great solution.

39
And how does Security fits in?
- Vendor Risk Assessment
- Security Configuration
- Code Review
- Fuzzing
- Note: Pentest requires Vendor approval

40
Takeaways
- Development is changing, thus Security must catch up
- Your applications are safer in Containers
- Serverless Applications are real and growing

41
Resources, References & Tools
Docker
https://docs.docker.com/docker-cloud/builds/image-scan/
https://github.com/coreos/clair
https://github.com/CenturyLinkLabs/dockerfile-from-image
https://www.sumologic.com/blog-devops/securing-docker-containers/
https://www.ctl.io/developers/blog/post/tutorial-protecting-sensitive-info-docker

Serverless
https://github.com/apex/apex
https://github.com/serverless/serverless

42
 Thank you
Anderson Dadario
dadario.com.br | @andersonmvd
Founder of Gauntlet.io
Slides are available for free on https://dadario.com.br/slides

43