Attacking and Defending Containerised Apps and Serverless Tech

Interactive Training -- OWASP New Zealand Day-2020

Abstract

Both attacking and securing an infrastructure, or applications leveraging containers/serverless technology, require a specific skill set and a deep understanding of the underlying architecture. This training will be extremely hands-on, to help you understand all there is to attack and secure containerised and serverless applications.

Overview

With organisations rapidly moving toward micro-service architectures for their applications, container and serverless technologies seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used, because they have help package and deploy consistent-state applications. Serverless and orchestration technologies, such as Kubernetes, support massive scale-up. This, in turn, can massively increase the overall attack surface, unless security is given the attention required.

Security continues to remain a key challenge that both organisations and security practitioners faced with containerised and serverless deployments. While container-orchestrated deployments may be vulnerable to security threats that plague typical application deployments, they face several specific security threats related to: the containerisation daemon, shared kernel, shared resources, secrets management, insecure configurations, role management issues, and many more! Serverless deployments, on the other hand, face risks such as: insecure serverless deployment configurations, inadequate function monitoring and logging, broken authentication, function event data injection, and insecure application secrets storage. Attacking an infrastructure, or applications leveraging containers and serverless technology, requires a specific skill-set and a deep understanding of the underlying architecture.

This training has been created with the objective of understanding both offensive and defensive security for container-orchestrated and serverless deployments. It will be a two-day program detailing specific theory elements, with extensive hands-on exercises modeling real-world threat scenarios. Attendees will learn ways in which containerised and serverless deployments can be attacked, so they can understand how to make them secure yet scalable, efficient, and effective.

Course Topics

The training includes, but is not limited to, the following topic areas in Container Security and Serverless Deployment:

• Introduction to Container Technology
• Deep-dive into Container Technology
• Introduction to Docker and other container engines
• Containerised Deployments and Container Orchestration Technologies
• Container Threat Model
• Attacking Containers and Security deep-dive
• Container Orchestration Deep-dive
• Introduction to Kubernetes
• Threat Model of Orchestration technologies
• Attacking Kubernetes
• Kubernetes Defense-in-Depth and Vulnerability Assessment
• Logging & Monitoring Orchestrated deployments
• Introduction to Serverless
• Deploying Application to AWS Lambda
• Serverless Threat-Model
• Attacking a Serverless Stack
• Serverless Security Deep-dive

Target Audience

Course Details

Date: Thursday, 21 February 2019

Time: 8:45 a.m. to 5:30 pm.

Course Fee: $500.00 (NZD)

Registration Site: https://owaspnz2019-training.eventbrite.com

Location: University of Auckland School of Business, 12 Grafton Road, Auckland - Lower Level

Target Audience: Web Developers, Software Engineers, Application Security Professionals

Skill Level: Basic - All levels are welcome, no prior threat modelling or software development experience is assumed.

Required Materials: A laptop computer is not required for this class. If you wish, you can bring a laptop; power should be available, and WiFi access will be provided. For non-Windows computers, if you would like to install and use the Microsoft Threat Modeling Tool, a virtualisation tool (e.g., Virtual Box) and a Windows virtual machine will be needed.

Materials Provided: Each attendee will receive a copy of Adam Shostack's book Threat Modeling: Designing for Security, a deck of Elevation of Privilege cards, and other printed resources

Instructor: Dr. John DiLeo

Instructor's Organisation: OWASP New Zealand Chapter

Supporting Materials

• Slide Deck (PDF, 4.1 MB)
• Presentation Slides: Adam Shostack - Threat Modeling in 2018 (PDF, adam.shostack.org)
• Presentation by Irene Michlin at AppSec EU 2017 - Incremental Threat Modeling Video (YouTube), Slide Deck (PDF)
• Presentation at AppSec EU 2009 - What Is Threat Modeling? (PPT)
• Presentation at AppSec EU 2009 - Advanced Threat Modeling (PPT)* Software Engineering Institute White Paper - Threat Modeling: A Summary of Available Methods (PDF)
• RSA 2017 Conference Learning Lab - Threat Modeling Demystified (PDF)
• SAFECode White Paper - Tactical Threat Modeling (PDF)
• STRIDE Reference Sheets (PDF, 112 kB), excerpted from Shostack text
• STRIDE Reference Cards (PDF, 5.0 MB), produced and branded by ThoughtWorks
• Microsoft Bug Bar Example (PDF)
• Microsoft's SDL Resource Site
• Download Page for Elevation of Privilege Card Decks
• OWASP Resource Sites:
  • Threat Model Project Home Page
  • Threat Modelling Category Page
  • OWASP Threat Modeling Cheat Sheet (MarkDown, on GitHub)

Your Instructor

Dr. John DiLeo - John is the Auckland-area leader of the OWASP New Zealand Chapter, and is employed as the Application Security Architect at Orion Health, a global company specialising in health information software. In his current role, he is responsible for developing and managing the enterprise's software assurance progamme, with emphasis on governance, secure development practices, and security training. Before specialising in application security, John was active as a Java enterprise architect and Web application developer (mostly Java EE and LAMP). In an earlier life, John had specialised in developing discrete-event simulations of large distributed systems, in a variety of languages - including the Java-based language (FreeSML) he developed as part of his doctoral research. John is also a member of the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and of the OWASP Application Security Curriculum Project.