SHACK

Attacking and Defending Containerized Apps and Serverless Tech

Instructors

Nithin Jois

Nithin Jois is a Solutions engineer at we45 - a focused Application Security company. He has helped build 'Orchestron' - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45 developed security platforms and he has also helped clients of we45 deploy their Applications securely. Nithin is a passionate Open Source enthusiast and is the co-lead-developer of ThreatPlaybook - An Open Source framework that facilitates Threat Modeling as Code married with Application Security Automation on a single Fabric. He has also written multiple libraries that complement ThreatPlaybook.

Nithin is an automation junkie who has built Scalable Scanner Integrations that leverage containers to the hilt and is passionate about Security, Containers and Serverless technology. He speaks at meetup groups, webinars and training sessions. He participates in multiple CTF events and has worked on creating Intentionally Vulnerable Applications for CTF competitions and Secure Code Training. Nithin will be a trainer at AppSecUS 2018, LasCon 2018 and CodeBlue Japan and, will be delivering a 2-day training on 'Container Security, Serverless, and Orchestration Training'. In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and other such topics. Nithin is an avid traveler and loves sharing stories over a cup of hot coffee or a mug of cold beer

Abhay Bhargav

Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to his work in Application Security Automation, he has created “ThreatPlaybook”, a unique open-source framework that marries Threat-Modeling (as-Code) with Application Security Automation. ThreatPlaybook has been featured in several industry events and been recently featured in BlackHat USA 2018’s Arsenal event. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, namely Containers, Orchestration and Serverless Architectures. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan) and so on. He’s also an author and trainer on Pluralsight. He writes on IT and IT Security-focused areas in his blog. Abhay is the author of two international publications “Secure Java: For Web Application Development” and “PCI Compliance: A Definitive Guide

Training Dates

25 - 27 March 2019

Description

With Organizations rapidly moving towards micro-service style architecture for their applications, container and serverless technology seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications. Serverless and Orchestration technologies like Kubernetes help scale such deployments to a massive scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.

Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. While containerorchestrated deployments may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, shared kernel, shared resources, secret management, insecure configurations, role management issues and many more! Serverless deployments on the other hand, face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage. Attacking an infrastructure or Applications leveraging containers and serverless technology requires specific skill-set and a deep understanding of the underlying architecture.

This training has been created with the objective of understanding both offensive and defensive security for container orchestrated and serverless deployments. It will be a 2 day program that will detail through specific theory elements with extensive hands-on exercises that are similar to real-world threat scenarios that the attendees will understand and take part in and, will also understand ways in which containerized and serverless deployments can be attacked, made secure, yet scalable, efficient and effective.

The training consists of, but not limited to the following focus areas in Container Security and Serverless Deployment:

  • Introduction to Container Technology
  • Containerized Deployments and Container Orchestration Technologies
  • Container Threat-Model
  • Attacking Containers and Security deep-dive
  • Introduction to Kubernetes
  • Threat-Model of Orchestration technologies
  • Attacking Kubernetes
  • Kubernetes Defense-in-Depth
  • Logging & Monitoring Orchestrated deployments
  • Introduction to Serverless
  • Deploying Application to AWS Lambda
  • Serverless Threat-Model
  • Attacking a Serverless Stack
  • Serverless Security Deep-dive

Topics

Day 1

Session 1

Evolution to Container Technology and Container Tech Deep-Dive:

  • Introduction to Container Technology
    • Namespace
    • Cgroups
    • Mount
  • Hands-on Lab: Setting up a Minimal Container with nothing but Namespaces and CGroups

Introduction to Containerized Deployments - Understanding and getting comfortable using Docker.

  • An Introduction to containers
    • LXC and Linux Containers
    • Introducing Docker Images and Containers
  • Deep-dive into Docker
    • Docker Commands and Cheatsheet
    • Hands-on:
      • Docker commands
      • Dockerfile
      • Images

Session 2

Introduction to Basic Container Orchestration with Docker-Compose

  • Docker Compose
    • Introduction to docker-compose
    • Hands-on:
      • Docker-compose commands
  • Docker Compose Deep-Dive
  • Application Deployment Using docker
    • Hands-on
      • Containerize an application
      • Deploying a containerized application
      • Deploy a containerized application using docker-compose

Threat Landscape- An Introduction to possible threats and attack surface when using Containers for Deployments.

Session 3

Attacking Containers and Containerized Deployments

  • Attacking Containers and Containerized Deployments
    • Hands-on
      • Container Breakout
      • Exploiting Insecure Docker Configurations
      • OS and Kernel level exploits
      • Trojanized Docker images

Securing Containers and Container Deployments

  • Container Security Deep-Dive
    • Hands-on
      • AppArmor/SecComp
      • Restricting Capabilities
      • Analysing Docker images
    • Container Security Mitigations
    • Hands-on: Container Vulnerability Assessment
      • Clair
      • Dagda
      • Anchore
      • Docker-bench

Day 2

Session 1

Introduction to Scalable Container Orchestrators

  • Introduction to Container Orchestrators
  • Getting started with Kubernetes
  • Understanding Kubernetes Architecture and Components
  • Hands-on:
    • Exploring Kubernetes Cluster
    • Deploying application to Kubernetes

Session 2

Attacking Kubernetes Cluster

  • Kubernetes Threat Model
  • Attack Surface for a Kubernetes Cluster
  • Hands on:
    • Attacking application deployed on Kubernetes
    • Exploiting a Vulnerable Kubernetes cluster
    • Maintaining Persistent Access and Pivoting in the K8s Cluster
  • Dissecting the K8s Attack and identifying Security Missteps

Session 3

Kubernetes Security Deep-Dive

  • K8s Threat Model and its counterpoint in Security Practices
  • Hands-on: Ideal Security Journey: Kubernetes
    • Pod Security
    • Access Control
    • Secret Management
  • Hands-on: Kubernetes Vulnerability Assessment
    • Kube-sec
    • Kube-hunter
    • Kube-bench
  • Hands-on: Logging and Monitoring
    • Logging and Monitoring specific Parameters within the K8s Cluster
    • Identifying anomalies (especially security) with the K8s Cluster
  • Hands-on: Kubernetes Network Security Implementation
    • Network Security Policy
    • Service Mesh - Istio/Envoy

Day 3

Session 1

Serverless Introduction

  • Understanding Serverless and FAAS(Function-As-A-Service)
  • Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
  • Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options

Serverless Deep-Dive

  • Introduction to Architecture of Serverless Deployments
  • Hands-on: Deploying a Serverless application

Session 2

Attacking Serverless applications

  • Serverless Architectures Security Top 10 - A Project similar to OWASP Top 10 for Serverless Apps
  • Function Data Event Injection Attacks against FaaS Implementations:
    • Hands-on Labs - Function Data Event Injection (Multiple Sources)
    • Other Injection and Remote Code Execution attacks against Serverless Apps
  • Broken Access Control
    • Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens)
      • Algorithm Confusion
      • Inherent JWT flaws - none signed token, etc
      • Attacks based on JWK and JWT Claims
    • Attacking Identity and Access Management through Serverless Implementations
      • Hands-on: View of IAM Sprawl and Permissions
      • Hands-on: Attacking with DynamoDB Injection + IAM Permissions creep
  • Other Serverless Attacks
    • Hands-on: Extracting Secrets from FaaS Implementations
    • Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion Attacks
    • Hands-on: Exploiting Function Execution Order for fun and profit!

Session 3

Securing Serverless applications

  • Securing Serverless applications
    • Identity and Access Management
    • Secret management
      • Hands-on Secrets Management with AWS Secret Manager + Rotation
    • Logging and Monitoring Functions
      • Hands-on: Security Practices for Logging Serverless Functions
      • Hands-on Using AWS X-Ray/Zipkin to leverage tracing for security
  • Hands-on: Serverless Vulnerability Assessment
    • Static Code Analysis[SCA]
    • Static Application Security Testing[SAST]
    • Dynamic Analysis Security Testing[DAST]

Capture The Flag

  • Attacking a Serverless Application - mini CTF Segment

Course Requirements

Student Requirements

  • Students should have a basic understanding of Linux environment and know their way around the terminal.
  • A basic understanding of OWASP TOP-10 Vulnerabilities and Basics of Docker will be helpful

Hardware and Software Requirements

  • Intel i5 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WONT work
  • Minimum 80GB HDD space available
  • Working WiFi adapter with ability to connect to third party wireless networks
  • User must be able to use the USB port of the laptop to copy, install and run the Virtual Machine, which will be delivered in a USB Mass Storage Device(Flash Drive).
    • Soft copy of the Slides and the VMs will be given to participants on a USB Flash Drive that will be formatted with the NTFS format.
  • Please download and install the latest installation of Oracle VM VirtualBox
  • We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises wont work. Please ensure that the following measures are taken to make your laptop available for Virtualization
  • You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu. Please ensure that you have a password (if required) to access the BIOS menu.
  • A valid AWS account with paid/free-tier access to Lambda with permission to deploy and run lambda applications will be necessary.