This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP NZ Day 2020-Training-Attacking and Defending Containerised Apps and Serverless Tech"

From OWASP
Jump to: navigation, search
(Created page with "__NOTOC__ = Attacking and Defending Containerised Apps and Serverless Tech = '''Interactive Training -- OWASP New Zealand Day-2020''' == Abstract == Both attacking and sec...")
 
Line 3: Line 3:
 
= Attacking and Defending Containerised Apps and Serverless Tech =
 
= Attacking and Defending Containerised Apps and Serverless Tech =
  
'''Interactive Training -- OWASP New Zealand Day-2020'''
+
'''Two-Day Interactive Training -- OWASP New Zealand Day 2020'''
  
 
== Abstract ==
 
== Abstract ==
Line 41: Line 41:
 
== Target Audience ==  
 
== Target Audience ==  
  
 
+
This course is aimed at Developers, DevOps Engineers, Penetration Testers, Security Practitioners, and other who use container or serverless technology as part of their product deployments, and want to gain a good understanding on how to secure their services and deployments.
  
 
== Course Details ==  
 
== Course Details ==  
  
'''Date:''' Thursday, 21 February 2019
+
'''Dates:''' Wednesday and Thursday, 19-20 February 2020
  
 
'''Time:''' 8:45 a.m. to 5:30 pm.
 
'''Time:''' 8:45 a.m. to 5:30 pm.
  
'''Course Fee:''' $500.00 (NZD)
+
'''Course Fee:''' $1,250.00 (NZD)
 +
 
 +
'''Registration Site:''' https://owaspnz2020-training.eventbrite.com
 +
 
 +
'''Prerequisite Skills:'''
 +
 
 +
* Students should have a basic understanding of Linux environment and know their way around the terminal
 +
* A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful, but not necessary
 +
 
 +
'''Attendees Should Bring:'''
 +
 
 +
* Attendees should bring a laptop, with an updated browser for accessing the lab environment(s). We have observed that Chrome or Firefox works best.
 +
* All the hands-on labs will be run on cloud environments that can be provisioned on-demand using our lab management system during the training.
 +
 +
'''Attendees Will Be Provided:'''
 +
 
 +
* All course materials (slides, code, and setup files) will be available to download during the training
 +
* Access to the lab management system we use for labs, which has been widely appreciated
 +
 
 +
'''Instructors:''' Nithin Jois and Sharath Kumar Ramdas
 +
 
 +
'''Instructors' Organisation:''' [https://www.we45.com we45]
 +
 
 +
== Detailed Course Outline ==
 +
 
 +
=== Day 1 - Wednesday ===
 +
 
 +
'''Evolution to Container Technology, and Container Tech Deep-Dive'''
 +
 
 +
* Introduction to Container Technology
 +
** Namespace
 +
** Cgroups
 +
** Mount
 +
* Hands-on Lab: Setting up a minimal container
 +
 
 +
'''Introduction to Containerised Deployments - Understanding and getting comfortable using Docker'''
 +
 
 +
* An introduction to containers
 +
** LXC and Linux containers
 +
** Introducing Docker images and containers
 +
* Deep dive into Docker
 +
** Docker commands and cheat sheet
 +
** Hands-on exercises:
 +
*** Docker commands
 +
*** Dockerfile
 +
*** Images
 +
** Docker Compose
 +
** Hands-on: Docker Compose commands
 +
 
 +
'''Threat Landscape - An Introduction to possible threats and attack surface when using Containers for Deployments'''
 +
 
 +
* Threat model for containerised deployments
 +
** Daemon-related threats
 +
** Network-related threats
 +
** OS and Kernel threats
 +
** Threats with application libraries
 +
** Threats from containerised applications
 +
* Traditional threat modelling for containers, using STRIDE
 +
 
 +
'''Attacking and Securing Containers'''
 +
 
 +
* Attacking containers and containerised deployments
 +
* Hands-on exercises:
 +
** Container breakout
 +
** Exploiting insecure configurations
 +
** OS- and Kernel-level exploits
 +
** Trojanised Docker image
 +
* Container security deep dive
 +
* Hands-on:
 +
** AppArmor/SecComp
 +
** Restricting capabilities
 +
** Analysing Docker images
 +
* Container security mitigations
 +
* Hands-on: Container vulnerability assessment
 +
** Clair
 +
** Dagda
 +
** Anchore
 +
** Docker-bench
 +
 
 +
'''Introduction to Kubernetes'''
 +
 
 +
* Understanding Kubernetes components and architecture
 +
* Hands-on: Exploring Kubernetes Cluster, deploying application to Kubernetes
 +
 
 +
=== Day 2 - Thursday ===
  
'''Registration Site:''' https://owaspnz2019-training.eventbrite.com
+
'''Attacking Kubernetes Cluster'''
  
'''Location:''' University of Auckland School of Business, 12 Grafton Road, Auckland - Lower Level
+
* Kubernetes threat model
 +
* Hands-on:
 +
** Attacking application deployed on Kubernetes
 +
** Exploiting a vulnerable Kubernetes cluster
  
'''Target Audience:''' Web Developers, Software Engineers, Application Security Professionals
+
'''Kubernetes security deep dive'''
  
'''Skill Level:''' Basic - All levels are welcome, no prior threat modelling or software development experience is assumed.
+
* Kubernetes security mind map
 +
* Hands-on: Ideal security journey - Kubernetes
 +
** Pod Security
 +
** Access Control
 +
** Secrets Management
 +
* Hands-on: Kubernetes vulnerability assessment
 +
** Kube-sec
 +
** Kube-hunter
 +
** Kube-bench
 +
* Hands-on: Logging and monitoring
 +
** Resource utilisation
 +
** Malicious behavioural activity monitor
  
'''Required Materials:''' A laptop computer is not required for this class. If you wish, you can bring a laptop; power should be available, and WiFi access will be provided. For non-Windows computers, if you would like to install and use the Microsoft Threat Modeling Tool, a virtualisation tool (e.g., Virtual Box) and a Windows virtual machine will be needed.
+
'''Serverless Introduction'''
  
'''Materials Provided:''' Each attendee will receive a copy of Adam Shostack's book ''Threat Modeling: Designing for Security,'' a deck of ''Elevation of Privilege'' cards, and other printed resources
+
* Understanding serverless and Function-as-a-Service (FAAS)
 +
* Introduction to AWS Lambda, and other serverless options
 +
* Hands-on: Deploying a serverless application
  
'''Instructor:''' Dr. John DiLeo
+
'''Attacking Serverless Applications'''
  
'''Instructor's Organisation:''' OWASP New Zealand Chapter
+
* [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10 for Serverless Applications] (PDF)
 +
* Hands-on: Attacking serverless applications
 +
** Injection-based attacks
 +
** Broken authentication attacks
 +
** Deserialisation attacks
 +
* Securing serverless applications
 +
** Identity and access management (IAM)
 +
** Secrets management
 +
** Logging and monitoring functions
 +
* Hands-on: Serverless vulnerability assessment
 +
** Static code analysis (SCA)
 +
** Static application security testing (SAST)
 +
** Dynamic application security testing (DAST)
  
== Supporting Materials ==
+
== Your Instructors ==
  
* [[Media:Slide Deck - Threat Modelling.pdf|Slide Deck (PDF, 4.1 MB)]]
+
'''Nithin Jois''' - Nithin is a Solutions engineer at we45 - an Application Security-focused company. He has helped build 'Orchestron,' a leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in orchestrating containerised deployments securely to production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45-developed security platforms and he has also helped clients deploy their applications securely. Nithin is a passionate open source enthusiast and is the co-lead-developer of ThreatPlaybook, an open-source framework that facilitates threat modelling as code is married with application security automation on a single fabric. He has also written multiple libraries that complement ThreatPlaybook.
* Presentation Slides: [http://i.blackhat.com/us-18/Wed-August-8/us-18-Shostack-Threat-Modeling-in-2018.pdf Adam Shostack - Threat Modeling in 2018] (PDF, adam.shostack.org)
 
* Presentation by Irene Michlin at AppSec EU 2017 - Incremental Threat Modeling [https://www.youtube.com/watch?v=WePVoeYrhpg Video (YouTube)], [https://2017.appsec.eu/presos/CISO/Incremental%20Threat%20Modelling%20-%20Irene%20Michlin%20-%20OWASP_AppSec-Eu_2017.pdf Slide Deck (PDF)]
 
* Presentation at AppSec EU 2009 - [https://www.owasp.org/images/7/79/AppSecEU09_OWASP_EU_Threat_Modeling.ppt What Is Threat Modeling?] (PPT)
 
* Presentation at AppSec EU 2009 - [https://www.owasp.org/images/7/79/AppSecEU09_OWASP_EU_Threat_Modeling.ppt Advanced Threat Modeling] (PPT)* Software Engineering Institute White Paper - [https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_524597.pdf Threat Modeling: A Summary of Available Methods] (PDF)
 
* RSA 2017 Conference Learning Lab - [https://www.rsaconference.com/writable/presentations/file_upload/lab3-w04_threat-modeling-demystified.pdf Threat Modeling Demystified] (PDF)
 
* SAFECode White Paper - [https://safecode.org/safecodepublications/tactical-threat-modeling/ Tactical Threat Modeling] (PDF)
 
* [[Media:STRIDE Reference Sheets.pdf|STRIDE Reference Sheets (PDF, 112 kB)]], excerpted from Shostack text
 
* [[Media:Threat Modelling - STRIDE Cards - TW Branded.pdf|STRIDE Reference Cards (PDF, 5.0 MB)]], produced and branded by ThoughtWorks
 
* [https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2A3xt Microsoft Bug Bar Example] (PDF)
 
* [https://www.microsoft.com/en-us/securityengineering/sdl/ Microsoft's SDL Resource Site]
 
* [https://www.microsoft.com/en-nz/download/details.aspx?id=20303 Download Page] for <i>Elevation of Privilege</i> Card Decks
 
* OWASP Resource Sites:
 
** [[OWASP Threat Model Project|Threat Model Project Home Page]]
 
** [https://www.owasp.org/index.php/Category:Threat_Modeling Threat Modelling Category Page]
 
** [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md OWASP Threat Modeling Cheat Sheet] (MarkDown, on GitHub)
 
  
== Your Instructor ==
+
Nithin is an automation junkie who has built scalable scanner integrations that leverage containers to the hilt, and is passionate about ecurity, containers, and serverless technology. He speaks at Meetup groups, webinars, and training sessions. He participates in multiple CTF events and has worked on creating intentionally vulnerable applications for CTF competitions and secure coding training. Nithin has spoken and presented training at numerous events, including Global AppSec-DC (2019), AppSec USA (2018), LASCON 2018, AppSec Cali (2019 and 2020), and CodeBlue-Japan. In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and similar topics. Nithin is an avid traveller and loves sharing stories over a cup of hot coffee.
  
'''Dr. John DiLeo''' - John is the Auckland-area leader of the OWASP New Zealand Chapter, and is employed as the Application Security Architect at Orion Health, a global company specialising in health information software. In his current role, he is responsible for developing and managing the enterprise's software assurance progamme, with emphasis on governance, secure development practices, and security training. Before specialising in application security, John was active as a Java enterprise architect and Web application developer (mostly Java EE and LAMP). In an earlier life, John had specialised in developing discrete-event simulations of large distributed systems, in a variety of languages - including the Java-based language (FreeSML) he developed as part of his doctoral research. John is also a member of the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and of the OWASP Application Security Curriculum Project.
+
'''Sharath Kumar Ramdas'''

Revision as of 09:52, 13 December 2019


Attacking and Defending Containerised Apps and Serverless Tech

Two-Day Interactive Training -- OWASP New Zealand Day 2020

Abstract

Both attacking and securing an infrastructure, or applications leveraging containers/serverless technology, require a specific skill set and a deep understanding of the underlying architecture. This training will be extremely hands-on, to help you understand all there is to attack and secure containerised and serverless applications.

Overview

With organisations rapidly moving toward micro-service architectures for their applications, container and serverless technologies seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used, because they have help package and deploy consistent-state applications. Serverless and orchestration technologies, such as Kubernetes, support massive scale-up. This, in turn, can massively increase the overall attack surface, unless security is given the attention required.

Security continues to remain a key challenge that both organisations and security practitioners faced with containerised and serverless deployments. While container-orchestrated deployments may be vulnerable to security threats that plague typical application deployments, they face several specific security threats related to: the containerisation daemon, shared kernel, shared resources, secrets management, insecure configurations, role management issues, and many more! Serverless deployments, on the other hand, face risks such as: insecure serverless deployment configurations, inadequate function monitoring and logging, broken authentication, function event data injection, and insecure application secrets storage. Attacking an infrastructure, or applications leveraging containers and serverless technology, requires a specific skill-set and a deep understanding of the underlying architecture.

This training has been created with the objective of understanding both offensive and defensive security for container-orchestrated and serverless deployments. It will be a two-day program detailing specific theory elements, with extensive hands-on exercises modeling real-world threat scenarios. Attendees will learn ways in which containerised and serverless deployments can be attacked, so they can understand how to make them secure yet scalable, efficient, and effective.

Course Topics

The training includes, but is not limited to, the following topic areas in Container Security and Serverless Deployment:

  • Introduction to Container Technology
  • Deep-dive into Container Technology
  • Introduction to Docker and other container engines
  • Containerised Deployments and Container Orchestration Technologies
  • Container Threat Model
  • Attacking Containers and Security deep-dive
  • Container Orchestration Deep-dive
  • Introduction to Kubernetes
  • Threat Model of Orchestration technologies
  • Attacking Kubernetes
  • Kubernetes Defense-in-Depth and Vulnerability Assessment
  • Logging & Monitoring Orchestrated deployments
  • Introduction to Serverless
  • Deploying Application to AWS Lambda
  • Serverless Threat-Model
  • Attacking a Serverless Stack
  • Serverless Security Deep-dive

Target Audience

This course is aimed at Developers, DevOps Engineers, Penetration Testers, Security Practitioners, and other who use container or serverless technology as part of their product deployments, and want to gain a good understanding on how to secure their services and deployments.

Course Details

Dates: Wednesday and Thursday, 19-20 February 2020

Time: 8:45 a.m. to 5:30 pm.

Course Fee: $1,250.00 (NZD)

Registration Site: https://owaspnz2020-training.eventbrite.com

Prerequisite Skills:

  • Students should have a basic understanding of Linux environment and know their way around the terminal
  • A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful, but not necessary

Attendees Should Bring:

  • Attendees should bring a laptop, with an updated browser for accessing the lab environment(s). We have observed that Chrome or Firefox works best.
  • All the hands-on labs will be run on cloud environments that can be provisioned on-demand using our lab management system during the training.

Attendees Will Be Provided:

  • All course materials (slides, code, and setup files) will be available to download during the training
  • Access to the lab management system we use for labs, which has been widely appreciated

Instructors: Nithin Jois and Sharath Kumar Ramdas

Instructors' Organisation: we45

Detailed Course Outline

Day 1 - Wednesday

Evolution to Container Technology, and Container Tech Deep-Dive

  • Introduction to Container Technology
    • Namespace
    • Cgroups
    • Mount
  • Hands-on Lab: Setting up a minimal container

Introduction to Containerised Deployments - Understanding and getting comfortable using Docker

  • An introduction to containers
    • LXC and Linux containers
    • Introducing Docker images and containers
  • Deep dive into Docker
    • Docker commands and cheat sheet
    • Hands-on exercises:
      • Docker commands
      • Dockerfile
      • Images
    • Docker Compose
    • Hands-on: Docker Compose commands

Threat Landscape - An Introduction to possible threats and attack surface when using Containers for Deployments

  • Threat model for containerised deployments
    • Daemon-related threats
    • Network-related threats
    • OS and Kernel threats
    • Threats with application libraries
    • Threats from containerised applications
  • Traditional threat modelling for containers, using STRIDE

Attacking and Securing Containers

  • Attacking containers and containerised deployments
  • Hands-on exercises:
    • Container breakout
    • Exploiting insecure configurations
    • OS- and Kernel-level exploits
    • Trojanised Docker image
  • Container security deep dive
  • Hands-on:
    • AppArmor/SecComp
    • Restricting capabilities
    • Analysing Docker images
  • Container security mitigations
  • Hands-on: Container vulnerability assessment
    • Clair
    • Dagda
    • Anchore
    • Docker-bench

Introduction to Kubernetes

  • Understanding Kubernetes components and architecture
  • Hands-on: Exploring Kubernetes Cluster, deploying application to Kubernetes

Day 2 - Thursday

Attacking Kubernetes Cluster

  • Kubernetes threat model
  • Hands-on:
    • Attacking application deployed on Kubernetes
    • Exploiting a vulnerable Kubernetes cluster

Kubernetes security deep dive

  • Kubernetes security mind map
  • Hands-on: Ideal security journey - Kubernetes
    • Pod Security
    • Access Control
    • Secrets Management
  • Hands-on: Kubernetes vulnerability assessment
    • Kube-sec
    • Kube-hunter
    • Kube-bench
  • Hands-on: Logging and monitoring
    • Resource utilisation
    • Malicious behavioural activity monitor

Serverless Introduction

  • Understanding serverless and Function-as-a-Service (FAAS)
  • Introduction to AWS Lambda, and other serverless options
  • Hands-on: Deploying a serverless application

Attacking Serverless Applications

  • OWASP Top 10 for Serverless Applications (PDF)
  • Hands-on: Attacking serverless applications
    • Injection-based attacks
    • Broken authentication attacks
    • Deserialisation attacks
  • Securing serverless applications
    • Identity and access management (IAM)
    • Secrets management
    • Logging and monitoring functions
  • Hands-on: Serverless vulnerability assessment
    • Static code analysis (SCA)
    • Static application security testing (SAST)
    • Dynamic application security testing (DAST)

Your Instructors

Nithin Jois - Nithin is a Solutions engineer at we45 - an Application Security-focused company. He has helped build 'Orchestron,' a leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in orchestrating containerised deployments securely to production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45-developed security platforms and he has also helped clients deploy their applications securely. Nithin is a passionate open source enthusiast and is the co-lead-developer of ThreatPlaybook, an open-source framework that facilitates threat modelling as code is married with application security automation on a single fabric. He has also written multiple libraries that complement ThreatPlaybook.

Nithin is an automation junkie who has built scalable scanner integrations that leverage containers to the hilt, and is passionate about ecurity, containers, and serverless technology. He speaks at Meetup groups, webinars, and training sessions. He participates in multiple CTF events and has worked on creating intentionally vulnerable applications for CTF competitions and secure coding training. Nithin has spoken and presented training at numerous events, including Global AppSec-DC (2019), AppSec USA (2018), LASCON 2018, AppSec Cali (2019 and 2020), and CodeBlue-Japan. In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and similar topics. Nithin is an avid traveller and loves sharing stories over a cup of hot coffee.

Sharath Kumar Ramdas