This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP NZ Day 2020-Training-Attacking and Defending Containerised Apps and Serverless Tech"

From OWASP
Jump to: navigation, search
(Created page with "__NOTOC__ = Attacking and Defending Containerised Apps and Serverless Tech = '''Interactive Training -- OWASP New Zealand Day-2020''' == Abstract == Both attacking and sec...")
 
(Your Instructors)
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
  
= Attacking and Defending Containerised Apps and Serverless Tech =
+
=Attacking and Defending Containerised Apps and Serverless Tech=
  
'''Interactive Training -- OWASP New Zealand Day-2020'''
+
'''Two-Day Interactive Training -- OWASP New Zealand Day 2020'''
  
 
== Abstract ==
 
== Abstract ==
Line 16: Line 16:
  
 
This training has been created with the objective of understanding both offensive and defensive security for container-orchestrated and serverless deployments. It will be a two-day program detailing specific theory elements, with extensive hands-on exercises modeling real-world threat scenarios. Attendees will learn ways in which containerised and serverless deployments can be attacked, so they can understand how to make them secure yet scalable, efficient, and effective.
 
This training has been created with the objective of understanding both offensive and defensive security for container-orchestrated and serverless deployments. It will be a two-day program detailing specific theory elements, with extensive hands-on exercises modeling real-world threat scenarios. Attendees will learn ways in which containerised and serverless deployments can be attacked, so they can understand how to make them secure yet scalable, efficient, and effective.
 +
 +
== Target Audience ==
 +
 +
This course is aimed at Developers, DevOps Engineers, Penetration Testers, Security Practitioners, and other who use container or serverless technology as part of their product deployments, and want to gain a good understanding on how to secure their services and deployments.
 +
 +
== Course Details ==
 +
 +
'''Dates:''' Wednesday and Thursday, 19-20 February 2020
 +
 +
'''Time:''' 8:45 a.m. to 5:30 pm.
 +
 +
'''Course Fee:''' NZ $1,250.00 (plus EventBrite fees)
 +
 +
'''Registration Site:''' https://owaspnz2020-training.eventbrite.com
 +
 +
'''Prerequisite Skills:'''
 +
 +
* Students should have a basic understanding of Linux environment and know their way around the terminal
 +
* A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful, but not necessary
 +
 +
'''Attendees Should Bring:'''
 +
 +
* Attendees should bring a laptop, with an updated browser for accessing the lab environment(s). We have observed that Chrome or Firefox works best.
 +
* All the hands-on labs will be run on cloud environments that can be provisioned on-demand using our lab management system during the training.
 +
 +
'''Attendees Will Be Provided:'''
 +
 +
* All course materials (slides, code, and setup files) will be available to download during the training
 +
* Access to the lab management system we use for labs, which has been widely appreciated
 +
 +
'''Instructors:''' Pavan Kumar and Sharath Kumar Ramdas
 +
 +
'''Instructors' Organisation:''' [https://www.we45.com we45]
  
 
== Course Topics ==
 
== Course Topics ==
Line 39: Line 72:
 
* Serverless Security Deep-dive
 
* Serverless Security Deep-dive
  
== Target Audience ==  
+
== Detailed Course Outline ==
 +
 
 +
=== Day 1 - Wednesday ===
 +
 
 +
'''Evolution to Container Technology, and Container Tech Deep-Dive'''
 +
 
 +
* Introduction to Container Technology
 +
** Namespace
 +
** Cgroups
 +
** Mount
 +
* Hands-on Lab: Setting up a minimal container
 +
 
 +
'''Introduction to Containerised Deployments - Understanding and getting comfortable using Docker'''
 +
 
 +
* An introduction to containers
 +
** LXC and Linux containers
 +
** Introducing Docker images and containers
 +
* Deep dive into Docker
 +
** Docker commands and cheat sheet
 +
** Hands-on exercises:
 +
*** Docker commands
 +
*** Dockerfile
 +
*** Images
 +
** Docker Compose
 +
** Hands-on: Docker Compose commands
 +
 
 +
'''Threat Landscape - An Introduction to possible threats and attack surface when using Containers for Deployments'''
 +
 
 +
* Threat model for containerised deployments
 +
** Daemon-related threats
 +
** Network-related threats
 +
** OS and Kernel threats
 +
** Threats with application libraries
 +
** Threats from containerised applications
 +
* Traditional threat modelling for containers, using STRIDE
 +
 
 +
'''Attacking and Securing Containers'''
  
 +
* Attacking containers and containerised deployments
 +
* Hands-on exercises:
 +
** Container breakout
 +
** Exploiting insecure configurations
 +
** OS- and Kernel-level exploits
 +
** Trojanised Docker image
 +
* Container security deep dive
 +
* Hands-on:
 +
** AppArmor/SecComp
 +
** Restricting capabilities
 +
** Analysing Docker images
 +
* Container security mitigations
 +
* Hands-on: Container vulnerability assessment
 +
** Clair
 +
** Dagda
 +
** Anchore
 +
** Docker-bench
  
 +
'''Introduction to Kubernetes'''
  
== Course Details ==
+
* Understanding Kubernetes components and architecture
 +
* Hands-on: Exploring Kubernetes Cluster, deploying application to Kubernetes
  
'''Date:''' Thursday, 21 February 2019
+
=== Day 2 - Thursday ===
  
'''Time:''' 8:45 a.m. to 5:30 pm.
+
'''Attacking Kubernetes Cluster'''
  
'''Course Fee:''' $500.00 (NZD)
+
* Kubernetes threat model
 +
* Hands-on:
 +
** Attacking application deployed on Kubernetes
 +
** Exploiting a vulnerable Kubernetes cluster
  
'''Registration Site:''' https://owaspnz2019-training.eventbrite.com
+
'''Kubernetes security deep dive'''
  
'''Location:''' University of Auckland School of Business, 12 Grafton Road, Auckland - Lower Level
+
* Kubernetes security mind map
 +
* Hands-on: Ideal security journey - Kubernetes
 +
** Pod Security
 +
** Access Control
 +
** Secrets Management
 +
* Hands-on: Kubernetes vulnerability assessment
 +
** Kube-sec
 +
** Kube-hunter
 +
** Kube-bench
 +
* Hands-on: Logging and monitoring
 +
** Resource utilisation
 +
** Malicious behavioural activity monitor
  
'''Target Audience:''' Web Developers, Software Engineers, Application Security Professionals
+
'''Serverless Introduction'''
  
'''Skill Level:''' Basic - All levels are welcome, no prior threat modelling or software development experience is assumed.
+
* Understanding serverless and Function-as-a-Service (FAAS)
 +
* Introduction to AWS Lambda, and other serverless options
 +
* Hands-on: Deploying a serverless application
  
'''Required Materials:''' A laptop computer is not required for this class. If you wish, you can bring a laptop; power should be available, and WiFi access will be provided. For non-Windows computers, if you would like to install and use the Microsoft Threat Modeling Tool, a virtualisation tool (e.g., Virtual Box) and a Windows virtual machine will be needed.
+
'''Attacking Serverless Applications'''
  
'''Materials Provided:''' Each attendee will receive a copy of Adam Shostack's book ''Threat Modeling: Designing for Security,'' a deck of ''Elevation of Privilege'' cards, and other printed resources
+
* [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10 for Serverless Applications] (PDF)
 +
* Hands-on: Attacking serverless applications
 +
** Injection-based attacks
 +
** Broken authentication attacks
 +
** Deserialisation attacks
 +
* Securing serverless applications
 +
** Identity and access management (IAM)
 +
** Secrets management
 +
** Logging and monitoring functions
 +
* Hands-on: Serverless vulnerability assessment
 +
** Static code analysis (SCA)
 +
** Static application security testing (SAST)
 +
** Dynamic application security testing (DAST)
  
'''Instructor:''' Dr. John DiLeo
+
== Your Instructors ==
  
'''Instructor's Organisation:''' OWASP New Zealand Chapter
+
'''Pavan Kumar''' - Pavan is a Senior Security Lead at we45. He has worked and led multiple penetration testing projects of web, mobile applications, and Infrastructure for Fortune 500 companies in different domains such as data storage, manufacturing and E-commerce. He has done in-depth research on AWS cloud services and is an expert in identifying vulnerabilities related to AWS cloud.
  
== Supporting Materials ==
+
Pavan has identified several critical P1 flaws in private Bug Bounty programs. He has also written custom scripts to automate multiple reconnaissance activities done during audits of applications.  He has also conducted trainings and spoken in multiple meetup events on his research associated with new vulnerability discovery and exploits. Pavan participates in multiple CTF events (Defcon, HacktheBox, etc.) and has worked on creating Intentionally Vulnerable Applications for CTF competitions and Secure Code Training.
  
* [[Media:Slide Deck - Threat Modelling.pdf|Slide Deck (PDF, 4.1 MB)]]
+
'''Sharath Kumar Ramdas''' - Sharath is the Lead Solutions Engineer at we45. He has architected and developed multiple solutions around security engineering, including an Application Vulnerability Correlation tool called Orchestron. As part of his experience with Application Security, Sharath has developed integrations for multiple security products including DAST, SAST, SCA and Cloud environments.
* Presentation Slides: [http://i.blackhat.com/us-18/Wed-August-8/us-18-Shostack-Threat-Modeling-in-2018.pdf Adam Shostack - Threat Modeling in 2018] (PDF, adam.shostack.org)
 
* Presentation by Irene Michlin at AppSec EU 2017 - Incremental Threat Modeling [https://www.youtube.com/watch?v=WePVoeYrhpg Video (YouTube)], [https://2017.appsec.eu/presos/CISO/Incremental%20Threat%20Modelling%20-%20Irene%20Michlin%20-%20OWASP_AppSec-Eu_2017.pdf Slide Deck (PDF)]
 
* Presentation at AppSec EU 2009 - [https://www.owasp.org/images/7/79/AppSecEU09_OWASP_EU_Threat_Modeling.ppt What Is Threat Modeling?] (PPT)
 
* Presentation at AppSec EU 2009 - [https://www.owasp.org/images/7/79/AppSecEU09_OWASP_EU_Threat_Modeling.ppt Advanced Threat Modeling] (PPT)* Software Engineering Institute White Paper - [https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_524597.pdf Threat Modeling: A Summary of Available Methods] (PDF)
 
* RSA 2017 Conference Learning Lab - [https://www.rsaconference.com/writable/presentations/file_upload/lab3-w04_threat-modeling-demystified.pdf Threat Modeling Demystified] (PDF)
 
* SAFECode White Paper - [https://safecode.org/safecodepublications/tactical-threat-modeling/ Tactical Threat Modeling] (PDF)
 
* [[Media:STRIDE Reference Sheets.pdf|STRIDE Reference Sheets (PDF, 112 kB)]], excerpted from Shostack text
 
* [[Media:Threat Modelling - STRIDE Cards - TW Branded.pdf|STRIDE Reference Cards (PDF, 5.0 MB)]], produced and branded by ThoughtWorks
 
* [https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2A3xt Microsoft Bug Bar Example] (PDF)
 
* [https://www.microsoft.com/en-us/securityengineering/sdl/ Microsoft's SDL Resource Site]
 
* [https://www.microsoft.com/en-nz/download/details.aspx?id=20303 Download Page] for <i>Elevation of Privilege</i> Card Decks
 
* OWASP Resource Sites:
 
** [[OWASP Threat Model Project|Threat Model Project Home Page]]
 
** [https://www.owasp.org/index.php/Category:Threat_Modeling Threat Modelling Category Page]
 
** [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md OWASP Threat Modeling Cheat Sheet] (MarkDown, on GitHub)
 
  
== Your Instructor ==
+
Sharath has extensive experience with Cloud Deployments and Container Native Deployments. As part of his role in a security organization, he has led teams that have created intentionally vulnerable apps for CTF competitions both inside and outside we45.
  
'''Dr. John DiLeo''' - John is the Auckland-area leader of the OWASP New Zealand Chapter, and is employed as the Application Security Architect at Orion Health, a global company specialising in health information software. In his current role, he is responsible for developing and managing the enterprise's software assurance progamme, with emphasis on governance, secure development practices, and security training. Before specialising in application security, John was active as a Java enterprise architect and Web application developer (mostly Java EE and LAMP). In an earlier life, John had specialised in developing discrete-event simulations of large distributed systems, in a variety of languages - including the Java-based language (FreeSML) he developed as part of his doctoral research. John is also a member of the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and of the OWASP Application Security Curriculum Project.
+
Sharath is a speaker at multiple meetups around Cloud, Containers, Python, DevOps and DevSecOps. He is also the co-author of the Container Security Training Program from we45.

Latest revision as of 06:24, 30 December 2019


Attacking and Defending Containerised Apps and Serverless Tech

Two-Day Interactive Training -- OWASP New Zealand Day 2020

Abstract

Both attacking and securing an infrastructure, or applications leveraging containers/serverless technology, require a specific skill set and a deep understanding of the underlying architecture. This training will be extremely hands-on, to help you understand all there is to attack and secure containerised and serverless applications.

Overview

With organisations rapidly moving toward micro-service architectures for their applications, container and serverless technologies seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used, because they have help package and deploy consistent-state applications. Serverless and orchestration technologies, such as Kubernetes, support massive scale-up. This, in turn, can massively increase the overall attack surface, unless security is given the attention required.

Security continues to remain a key challenge that both organisations and security practitioners faced with containerised and serverless deployments. While container-orchestrated deployments may be vulnerable to security threats that plague typical application deployments, they face several specific security threats related to: the containerisation daemon, shared kernel, shared resources, secrets management, insecure configurations, role management issues, and many more! Serverless deployments, on the other hand, face risks such as: insecure serverless deployment configurations, inadequate function monitoring and logging, broken authentication, function event data injection, and insecure application secrets storage. Attacking an infrastructure, or applications leveraging containers and serverless technology, requires a specific skill-set and a deep understanding of the underlying architecture.

This training has been created with the objective of understanding both offensive and defensive security for container-orchestrated and serverless deployments. It will be a two-day program detailing specific theory elements, with extensive hands-on exercises modeling real-world threat scenarios. Attendees will learn ways in which containerised and serverless deployments can be attacked, so they can understand how to make them secure yet scalable, efficient, and effective.

Target Audience

This course is aimed at Developers, DevOps Engineers, Penetration Testers, Security Practitioners, and other who use container or serverless technology as part of their product deployments, and want to gain a good understanding on how to secure their services and deployments.

Course Details

Dates: Wednesday and Thursday, 19-20 February 2020

Time: 8:45 a.m. to 5:30 pm.

Course Fee: NZ $1,250.00 (plus EventBrite fees)

Registration Site: https://owaspnz2020-training.eventbrite.com

Prerequisite Skills:

  • Students should have a basic understanding of Linux environment and know their way around the terminal
  • A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful, but not necessary

Attendees Should Bring:

  • Attendees should bring a laptop, with an updated browser for accessing the lab environment(s). We have observed that Chrome or Firefox works best.
  • All the hands-on labs will be run on cloud environments that can be provisioned on-demand using our lab management system during the training.

Attendees Will Be Provided:

  • All course materials (slides, code, and setup files) will be available to download during the training
  • Access to the lab management system we use for labs, which has been widely appreciated

Instructors: Pavan Kumar and Sharath Kumar Ramdas

Instructors' Organisation: we45

Course Topics

The training includes, but is not limited to, the following topic areas in Container Security and Serverless Deployment:

  • Introduction to Container Technology
  • Deep-dive into Container Technology
  • Introduction to Docker and other container engines
  • Containerised Deployments and Container Orchestration Technologies
  • Container Threat Model
  • Attacking Containers and Security deep-dive
  • Container Orchestration Deep-dive
  • Introduction to Kubernetes
  • Threat Model of Orchestration technologies
  • Attacking Kubernetes
  • Kubernetes Defense-in-Depth and Vulnerability Assessment
  • Logging & Monitoring Orchestrated deployments
  • Introduction to Serverless
  • Deploying Application to AWS Lambda
  • Serverless Threat-Model
  • Attacking a Serverless Stack
  • Serverless Security Deep-dive

Detailed Course Outline

Day 1 - Wednesday

Evolution to Container Technology, and Container Tech Deep-Dive

  • Introduction to Container Technology
    • Namespace
    • Cgroups
    • Mount
  • Hands-on Lab: Setting up a minimal container

Introduction to Containerised Deployments - Understanding and getting comfortable using Docker

  • An introduction to containers
    • LXC and Linux containers
    • Introducing Docker images and containers
  • Deep dive into Docker
    • Docker commands and cheat sheet
    • Hands-on exercises:
      • Docker commands
      • Dockerfile
      • Images
    • Docker Compose
    • Hands-on: Docker Compose commands

Threat Landscape - An Introduction to possible threats and attack surface when using Containers for Deployments

  • Threat model for containerised deployments
    • Daemon-related threats
    • Network-related threats
    • OS and Kernel threats
    • Threats with application libraries
    • Threats from containerised applications
  • Traditional threat modelling for containers, using STRIDE

Attacking and Securing Containers

  • Attacking containers and containerised deployments
  • Hands-on exercises:
    • Container breakout
    • Exploiting insecure configurations
    • OS- and Kernel-level exploits
    • Trojanised Docker image
  • Container security deep dive
  • Hands-on:
    • AppArmor/SecComp
    • Restricting capabilities
    • Analysing Docker images
  • Container security mitigations
  • Hands-on: Container vulnerability assessment
    • Clair
    • Dagda
    • Anchore
    • Docker-bench

Introduction to Kubernetes

  • Understanding Kubernetes components and architecture
  • Hands-on: Exploring Kubernetes Cluster, deploying application to Kubernetes

Day 2 - Thursday

Attacking Kubernetes Cluster

  • Kubernetes threat model
  • Hands-on:
    • Attacking application deployed on Kubernetes
    • Exploiting a vulnerable Kubernetes cluster

Kubernetes security deep dive

  • Kubernetes security mind map
  • Hands-on: Ideal security journey - Kubernetes
    • Pod Security
    • Access Control
    • Secrets Management
  • Hands-on: Kubernetes vulnerability assessment
    • Kube-sec
    • Kube-hunter
    • Kube-bench
  • Hands-on: Logging and monitoring
    • Resource utilisation
    • Malicious behavioural activity monitor

Serverless Introduction

  • Understanding serverless and Function-as-a-Service (FAAS)
  • Introduction to AWS Lambda, and other serverless options
  • Hands-on: Deploying a serverless application

Attacking Serverless Applications

  • OWASP Top 10 for Serverless Applications (PDF)
  • Hands-on: Attacking serverless applications
    • Injection-based attacks
    • Broken authentication attacks
    • Deserialisation attacks
  • Securing serverless applications
    • Identity and access management (IAM)
    • Secrets management
    • Logging and monitoring functions
  • Hands-on: Serverless vulnerability assessment
    • Static code analysis (SCA)
    • Static application security testing (SAST)
    • Dynamic application security testing (DAST)

Your Instructors

Pavan Kumar - Pavan is a Senior Security Lead at we45. He has worked and led multiple penetration testing projects of web, mobile applications, and Infrastructure for Fortune 500 companies in different domains such as data storage, manufacturing and E-commerce. He has done in-depth research on AWS cloud services and is an expert in identifying vulnerabilities related to AWS cloud.

Pavan has identified several critical P1 flaws in private Bug Bounty programs. He has also written custom scripts to automate multiple reconnaissance activities done during audits of applications. He has also conducted trainings and spoken in multiple meetup events on his research associated with new vulnerability discovery and exploits. Pavan participates in multiple CTF events (Defcon, HacktheBox, etc.) and has worked on creating Intentionally Vulnerable Applications for CTF competitions and Secure Code Training.

Sharath Kumar Ramdas - Sharath is the Lead Solutions Engineer at we45. He has architected and developed multiple solutions around security engineering, including an Application Vulnerability Correlation tool called Orchestron. As part of his experience with Application Security, Sharath has developed integrations for multiple security products including DAST, SAST, SCA and Cloud environments.

Sharath has extensive experience with Cloud Deployments and Container Native Deployments. As part of his role in a security organization, he has led teams that have created intentionally vulnerable apps for CTF competitions both inside and outside we45.

Sharath is a speaker at multiple meetups around Cloud, Containers, Python, DevOps and DevSecOps. He is also the co-author of the Container Security Training Program from we45.