__NOTOC__

=Attacking and Defending Containerised Apps and Serverless Tech=

'''Two-Day Interactive Training -- OWASP New Zealand Day 2020'''

== Abstract ==

Both attacking and securing an infrastructure, or applications leveraging containers/serverless technology, require a specific skill set and a deep understanding of the underlying architecture. This training will be extremely hands-on, to help you understand all there is to attack and secure containerised and serverless applications.

== Overview ==

With organisations rapidly moving toward micro-service architectures for their applications, container and serverless technologies seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used, because they have help package and deploy consistent-state applications. Serverless and orchestration technologies, such as Kubernetes, support massive scale-up. This, in turn, can massively increase the overall attack surface, unless security is given the attention required.

Security continues to remain a key challenge that both organisations and security practitioners faced with containerised and serverless deployments. While container-orchestrated deployments may be vulnerable to security threats that plague typical application deployments, they face several specific security threats related to: the containerisation daemon, shared kernel, shared resources, secrets management, insecure configurations, role management issues, and many more! Serverless deployments, on the other hand, face risks such as: insecure serverless deployment configurations, inadequate function monitoring and logging, broken authentication, function event data injection, and insecure application secrets storage. Attacking an infrastructure, or applications leveraging containers and serverless technology, requires a specific skill-set and a deep understanding of the underlying architecture.

This training has been created with the objective of understanding both offensive and defensive security for container-orchestrated and serverless deployments. It will be a two-day program detailing specific theory elements, with extensive hands-on exercises modeling real-world threat scenarios. Attendees will learn ways in which containerised and serverless deployments can be attacked, so they can understand how to make them secure yet scalable, efficient, and effective.

== Target Audience ==

This course is aimed at Developers, DevOps Engineers, Penetration Testers, Security Practitioners, and other who use container or serverless technology as part of their product deployments, and want to gain a good understanding on how to secure their services and deployments.

== Course Details ==

'''Dates:''' Wednesday and Thursday, 19-20 February 2020

'''Time:''' 8:45 a.m. to 5:30 pm.

'''Course Fee:''' NZ $1,250.00 (plus EventBrite fees)

'''Registration Site:''' https://owaspnz2020-training.eventbrite.com

'''Prerequisite Skills:'''

* Students should have a basic understanding of Linux environment and know their way around the terminal
* A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful, but not necessary

'''Attendees Should Bring:'''

* Attendees should bring a laptop, with an updated browser for accessing the lab environment(s). We have observed that Chrome or Firefox works best.
* All the hands-on labs will be run on cloud environments that can be provisioned on-demand using our lab management system during the training.

'''Attendees Will Be Provided:'''

* All course materials (slides, code, and setup files) will be available to download during the training
* Access to the lab management system we use for labs, which has been widely appreciated

'''Instructors:''' Pavan Kumar and Sharath Kumar Ramdas

'''Instructors' Organisation:''' [https://www.we45.com we45]

== Course Topics ==

The training includes, but is not limited to, the following topic areas in Container Security and Serverless Deployment:

* Introduction to Container Technology
* Deep-dive into Container Technology
* Introduction to Docker and other container engines
* Containerised Deployments and Container Orchestration Technologies
* Container Threat Model
* Attacking Containers and Security deep-dive
* Container Orchestration Deep-dive
* Introduction to Kubernetes
* Threat Model of Orchestration technologies
* Attacking Kubernetes
* Kubernetes Defense-in-Depth and Vulnerability Assessment
* Logging & Monitoring Orchestrated deployments
* Introduction to Serverless
* Deploying Application to AWS Lambda
* Serverless Threat-Model
* Attacking a Serverless Stack
* Serverless Security Deep-dive

== Detailed Course Outline ==

=== Day 1 - Wednesday ===

'''Evolution to Container Technology, and Container Tech Deep-Dive'''

* Introduction to Container Technology
** Namespace
** Cgroups
** Mount
* Hands-on Lab: Setting up a minimal container

'''Introduction to Containerised Deployments - Understanding and getting comfortable using Docker'''

* An introduction to containers
** LXC and Linux containers
** Introducing Docker images and containers
* Deep dive into Docker
** Docker commands and cheat sheet
** Hands-on exercises:
*** Docker commands
*** Dockerfile
*** Images
** Docker Compose
** Hands-on: Docker Compose commands

'''Threat Landscape - An Introduction to possible threats and attack surface when using Containers for Deployments'''

* Threat model for containerised deployments
** Daemon-related threats
** Network-related threats
** OS and Kernel threats
** Threats with application libraries
** Threats from containerised applications
* Traditional threat modelling for containers, using STRIDE

'''Attacking and Securing Containers'''

* Attacking containers and containerised deployments
* Hands-on exercises:
** Container breakout
** Exploiting insecure configurations
** OS- and Kernel-level exploits
** Trojanised Docker image
* Container security deep dive
* Hands-on:
** AppArmor/SecComp
** Restricting capabilities
** Analysing Docker images
* Container security mitigations
* Hands-on: Container vulnerability assessment
** Clair
** Dagda
** Anchore
** Docker-bench

'''Introduction to Kubernetes'''

* Understanding Kubernetes components and architecture
* Hands-on: Exploring Kubernetes Cluster, deploying application to Kubernetes

=== Day 2 - Thursday ===

'''Attacking Kubernetes Cluster'''

* Kubernetes threat model
* Hands-on:
** Attacking application deployed on Kubernetes
** Exploiting a vulnerable Kubernetes cluster

'''Kubernetes security deep dive'''

* Kubernetes security mind map
* Hands-on: Ideal security journey - Kubernetes
** Pod Security
** Access Control
** Secrets Management
* Hands-on: Kubernetes vulnerability assessment
** Kube-sec
** Kube-hunter
** Kube-bench
* Hands-on: Logging and monitoring
** Resource utilisation
** Malicious behavioural activity monitor

'''Serverless Introduction'''

* Understanding serverless and Function-as-a-Service (FAAS)
* Introduction to AWS Lambda, and other serverless options
* Hands-on: Deploying a serverless application

'''Attacking Serverless Applications'''

* [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10 for Serverless Applications] (PDF)
* Hands-on: Attacking serverless applications
** Injection-based attacks
** Broken authentication attacks
** Deserialisation attacks
* Securing serverless applications
** Identity and access management (IAM)
** Secrets management
** Logging and monitoring functions
* Hands-on: Serverless vulnerability assessment
** Static code analysis (SCA)
** Static application security testing (SAST)
** Dynamic application security testing (DAST)

== Your Instructors ==

'''Nithin Jois''' - Nithin is a Solutions engineer at we45 - an Application Security-focused company. He has helped build 'Orchestron,' a leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in orchestrating containerised deployments securely to production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45-developed security platforms and he has also helped clients deploy their applications securely. Nithin is a passionate open source enthusiast and is the co-lead-developer of ThreatPlaybook, an open-source framework that facilitates threat modelling as code is married with application security automation on a single fabric. He has also written multiple libraries that complement ThreatPlaybook.

Nithin is an automation junkie who has built scalable scanner integrations that leverage containers to the hilt, and is passionate about ecurity, containers, and serverless technology. He speaks at Meetup groups, webinars, and training sessions. He participates in multiple CTF events and has worked on creating intentionally vulnerable applications for CTF competitions and secure coding training. Nithin has spoken and presented training at numerous events, including Global AppSec-DC (2019), AppSec USA (2018), LASCON 2018, AppSec Cali (2019 and 2020), and CodeBlue-Japan. In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and similar topics. Nithin is an avid traveller and loves sharing stories over a cup of hot coffee.

'''Sharath Kumar Ramdas''' - Sharath is the Lead Solutions Engineer at we45. He has architected and developed multiple solutions around security engineering, including an Application Vulnerability Correlation tool called Orchestron. As part of his experience with Application Security, Sharath has developed integrations for multiple security products including DAST, SAST, SCA and Cloud environments.

Sharath has extensive experience with Cloud Deployments and Container Native Deployments. As part of his role in a security organization, he has led teams that have created intentionally vulnerable apps for CTF competitions both inside and outside we45.

Sharath is a speaker at multiple meetups around Cloud, Containers, Python, DevOps and DevSecOps. He is also the co-author of the Container Security Training Program from we45.