Serverless Security: New world. New war.

all right thank you everyone for coming to besides hope everyone enjoyed the lunch and and and saw John's tool there the SSH grabber that's pretty fancy but I would like to introduce our next speaker we are getting started a couple minutes early but that's okay his name is tal Muhammad and he's the director of security research proteger so welcome thank you thanks ed one you hear me all right okay so hi everyone thanks for coming my name is tal um I just moved to the to Connecticut from Israel and Italy I did around so I've been in the israelian cyber security industry for a while worked for companies like ours a checkpoint app six in AK and more

recently I just moved to New Haven Connecticut so the weather is different so I got cold and thanks for having me nice seeing all the Connecticut security scene here so I specialize in application security started 15 years ago with web application moved to client mobile IOT and our server list but what is service we'll see in a second if you would like to follow me pretty active on the social media currently I'm the director of security research company at a company called fatigue elapsed or pretty go we're we're a service security company startup based in Jerusalem Israel and we have a service security solution won't show the the product but we'll see we'll talk about it in a

second right so let's start with what the hell is service does anyone here heard about serverless one ok that's about what I thought so pretty much no one knows what service is so any of you actually wrote like lambda function or something like that okay yeah we have a winner so as you see no one really knows it I'll start by explaining what it means so if back on the 90s or even before that we were we started with on premise application where it took everything and had it on the site then we move on I won't go through all of them you all know that I'll make a stop a quick stop on the containers where everybody heard

of and see that when we moved to containers we were we we could eliminate all the need to control operation systems and virtualization and provisioning and of course the networks in the service okay came in that box called Sur container but we needed to we still need to patch it to set it up to see what's inside you know how to scale it and it's still a lot of DevOps or a lot of operations and also security so we moved to server less which is kind of new just introduced first in 2016 by AWS we've been we got a technology that allows us to write code and that's it maybe just a few configuration requirements so how many

memory do you want for the function etcetera but that's it so it allows companies especially startups to that has an idea to come right up write code or their application logic and have it launched in a few few days not having to to deal with anything related to scalability monitoring fetching or anything like that so that cloud providers already take care of that oh you can do all you need to do is write your code okay what is service who are the the providers so all the big companies this is why we know it's it's a thing because as your AWS Google stop just joined IBM with open whisk and some other companies now allow that so they are the

infrastructure providers and they have their console or their api's to just come up write function write codes code and launch your application or are the early adapters or the first adapters of the technology so we have some big companies so Netflix it's very strong on that Expedia with other sub companies also bank one of the biggest coca-cola iRobot the zone and some more big companies that you see that it's a little tough to move I mean there are a lot of startups so it's starting with that because it's easier to just start with it but there it's it's a little tougher transition to move to serve others because you already have your servers you need to refine your code and

do some changes around that but there are some big companies are doing that also this is also how we see that it goes further so this is how this is a Google Trends graph again ok so if we start back then in 2016 has a graph that goes up but like always even if it's a new technology as and we thought that we have we've learned in from birth best experience I'll just type sorry sir server less security right so right no one and probably that is me doing that the research or something like that to here right but just to make you understand how News Service and what are we doing here I'll just write docker

here so like the biggest container thing and we'll get thing in perspective right so containers right everyone goes with containers we just started so we see us as ahead of a curve this is what we also sorry what we see from customers and people that would need so would use serverless in general they're just experiencing with it there are there are some companies as I showed that are already all in but most of them are just experiencing with technology thinking about moving it eventually but they're you're starting with a small project and see how it goes okay so what are the service basics why move to service so part from what I already told you so the interest on

infrastructure scales for zero you don't have to deal with anything right so everything the infrastructure is built in you just need to know how to use it also one of the service basics that you pay only for what you use so you can write up an application up and running and if no one ever uses that you don't per think you pay only for the invocations of your application so we started start suddenly there is some traffic into your application you pay a few cents for every call and when it goes higher you probably start seeing more of your payment increases but also your application traffic and this is how how it works with service ok so the

architecture as I mentioned times so you actually go and write functions functions like functions like code but there are called functions because each of them is supposed or the architecture allows you to it's intended for sorry intended for microservices that means that you go and you write simple codes on each of the functions so also functions can only run for up to 15 minutes or 5 minutes or depends on the under infrastructure so you write a short code that this is the specific of what this function needs to do and then you start building your application with hundreds I'm sorry Thanks hundreds of functions and services and resources it's not only functions - you can use databases cloud

storage etc and just I'll mention it's called maybe you heard of it it's called ephemeral and stateless you probably heard of it because each function when it goes up or when it runs it has no notion of what's going on besides yeah on the on the application level so it it is really stateless it knows nothing about nothing it just runs do this does it job and then dies so the ephemeral means that when the function or the code finishes to execute it just dies and the container that was loading this function so you don't have to deal with these containers it's managed by the called provider but it dies with it so there is no after function before

function is just the function what it does and that's it and the operation also is a one of the reasons that people move there the companies move there because it really minimizes the DevOps and we will talk more about this security aspect of it but it's imagine that the you don't have to have to deal with anything related to infrastructure so that gives you a very high velocity of your development ok why does security here any different will we read about it and we'll talk about in a few seconds so let's do a quick gap analysis right so what are the cons there are no servers so now I'm talking security right I just moved from what in service to security

there is no there are no servers so where do we deploy things right we want monitor the network we want to scan it we want to put a firewall we want to put an IPS IDs whatever we want where do we put it we can't because it's not ours so this is this is a kind of a con no perimeter so if we were talking with if we think of what we know of the traditional application the monolithic application we know there is it could be any type of network that it uses but usually it just goes one way so it could be HTTP disappear any proprietary network but it always comes from the client to the server through that port

or yeah they didn't network interface but in server less that is gone I mean it's not gone but it's just one out of many so several that's one of the things about it that it allows you to run functions based on events and the events could be anything so it could be emails received it could be a file was that was uploaded a line in the tail in a specific table that would change will trigger your functions where do you put your security control your network control between those you don't have it you don't control the net the network between the the email the email there is no service of the email service or the

database service so DynamoDB or a cloud storage so Azure blob or s3 bucket you don't have that security the network between them so you don't control it well that gives us more complexity because the the application architecture is different you don't have one way in you have multiple way in and everything triggers a new new event or new new code in your application and the high velocity of the development makes it even harder for the security person to cope with it so imagine that I don't know like developed at dev team wrote a feature and now want to test your firewall against you to see that it matches but doesn't do much on false positives so it takes a

few days maybe in staging but here the velocity is very so - every day every developer on its own writes his own function how do you deal with 100 different functions that trigger is different or have different entry points in one day or a week or I don't know you develop your cycles so that makes it hard but there are many pros so yeh no servers you don't have to deal with that anymore so yeah every time I had an idea and I wanted to write up code I thought patch make sure that it's ok how do i scale it so you don't have to deal with it anymore so the fine grained is as I told

as I said the architecture is built for micro services this gives us really if you think about it a really fine grained of what each function should do in your system not only in terms of code because you don't the security person or the security manager doesn't have to understand what each function does but it could you have a limited like right that the security person doesn't need to know what the function is doing in terms of code but they can understand what is the function doing in the system it could also help you find grained your application and make your security tied tight your security about it transparency so if you have like you

download a container image and you don't know what's inside you know what you need but maybe there are hundreds of things services and ports open besides it so I don't know like SSH or whatever and you have to look for it and see that you don't have backdoors into your system or open ports that you don't need but here it's different because you don't need to deal with that you know that you need an API gateway so you have an API gateway you need a DynamoDB table or any other database or but a cloud storage this is what you get you don't have to look for other things because you don't deal with any type of

container you just deal with the code right so there are a few big challenges and we'll discuss a few of them right so let's take an example a code example it uses the this code uses AWS which is the biggest service by far the biggest service provider but it could be anything else so what this function is doing is very very simple it reads a file so it is triggered by an event let's say of a file uploaded for our file create and it goes to the bucket that triggers it takes the file name and reads it right doesn't matter what it needs to do so I talked about fine-grained application or fine-grained security so let's see the

process of what we could do in make it fine grain so the first stage you'd go okay Europe your developer wrote this code and you go and tell him right but you need to provide a permission for this specific or I mentioned that say that so you need to provide a permission for each of the functions separate that makes it hard in one way but could allow you to fine grain it to a very tight attack surface so you tell your developer a go read the documentation and bring the right permission for the function so the developer goes to the AWS examples which is actually what it is and brings this okay they are gonna

give this policy to the function and what this policy means is that it allows to the function right this is the permission of the function to use any f3 serve any action inside an a3 service this one and the wild car means everything so the action could be file upload file rate change permission downloads rewrite delete whatever you think about storage and it allows everything to do everything and this resource also with a wild car also great it means that the function can do anything to any cloud storage in the account so we imagine that you have I don't know like one let's keep it small then cloud storage that your application it deals with and this function can do

anything including deleting them or changing the permission making them public to any of these cloud storages that means that if someone managed to hack or to have access to exploit this function they can do really big problems into your application we'll see later how it really goes so you go and say hey what is this bring me some security into that so the developer goes and takes this reads further and say I only need to deal with a specific bucket why do I knew the wild core and he say who I found a solution so now I will allow this function to do everything but only to this specific bucket so the function cannot buy the infrastructure so you

didn't have to deal with it now cannot deal with any other cloud storage that means that even if someone exploited the function they cannot do anything to a different card storage but that's not enough because you're a security person you say why do you need to delete I don't know why do you you need to have to be able to delete the function or upload file you just need to read files so go ahead and you find the best solution which is this this privilege only get object for this specific bucket so even if the function is exploited you can only read a file from this bucket so that's great but how do you do that for

hundreds of functions every week Wow you you really gone and this is just one one simple event a three is very common there there are hundreds of services and about four hundred five thousand actions in total how you dig into that and find the specific action - all of it - everything so the only solution that we see is automating it so I won't show it but we provide an ability to automate that if you're interested in that come to me later and I'll discuss it further and other challenges as I said the velocity gives you hundreds and thousands of resources into your account how do you deal with all of the security you need an observer

ability and this is the solution here is to - to know how to use all the infrastructure or the service provider resources so there are logs and there are there are reports for everything in graphs in metrics but you need to know to use them in order to understand what is going on in to your application ok let's talk about another challenge which is big we mentioned no parameter so no one parameter so monolithic application everything came from one point in serverless saurian service you can so imagine this is some kind of a simple application architecture the attacker can come from the API gateway and trigger your function but they can also upload a file to the s3 bucket or any

cloud storage which will trigger function and I can also write something that will be written to a log which will trigger a function so eventually you don't know where is the entry point for your for your for the attacker it could be anything in the application and you need to worry about that so what we do is we give you both security and observability into your account by so you cannot put a firewall right so how do you protect I don't know ask you an injection cross-site scripting or pass traverse or any other other attack how do you protect it so the only only way that we see too it is to run the protection inside your

function and Oh with in your function so we don't actually change your code but if you can invoke us like import us as part of your code we can instrument or we can instrument the function or get a hold of the old system operation system or like let's say the container running by the service provider and then gives you a visibility there so we can stop malicious traffic and we can we can see if the function needs is over privileged we can see if the function need tries suddenly tries to connect to a pastebin or or anything that we suspected is different we also learn as I said fine-grained we also learn the behavior of each function so we can actually

profile it and see that it needs to do only a certain thing but let's see now how an attack or a surrealist attack would look like so we have like setup here that is slack channel right so it's let's say the sales slack channel or anything like that and or support slack channel and the user interact with it when the user writes a message into the slack it goes to the slack API and I can figure this is how I configure the application that it will go to my API gateway so if you look at number 3 here so the API gateway is the trigger for the lambda function or the start of the process of this application which what

it is is a service or a slack chat bot so when you type a message this bot tries to understand what you're talking about and to respond to counter accordingly so I have there after the bot understood or let's say decided what to are how to reply they write everything to do that normal DB database just for the record and then sends it back to slack which will appear eventually on the stack channel so let's see the attacker can come here from the slack of course this is the slack channel but it can also send requests directly to the slack API or directly to the API gateway and we'll see how that goes right so the attack steps are going to

be first I'm gonna validate the Volta vulnerability then I'm gonna extract the source code which is fun in server let's read some environment variables which usually hold the securities or the secrets for your application and person it to the function and then steal some stuff and write so let's do do that alright yeah so here is my my slack channel and there is a slack but behind it and I can write reply everything our conversation is going to the database right so first thing first let's just see that it's vulnerable so what we have here is a function that the code is okay so there is no security gaps in the code itself that develop a wrote me the

developer but I imported a dependency that has a known vulnerability so I used known node serialize library I do not write a bad code I just imported this library and I used its function its methods right but the code of the library is vulnerable and it allows you to write code and run them inside as a function inside a code so and the function oh I'll show you that it would be easier right so I have a function

right so I have a function and I have a vulnerable dependency which is no to realize in the version but and we'll get to it later the function also have permission and excessive permission role which is DynamoDB wild card as I mentioned earlier the wild card allows us to do everything inside the DynamoDB right so after we know these two facts was let's exploit it so first I'm gonna do right just gonna luncheon and rock HTTP tunnel into my computer and I'm gonna take this sub domain forgive me for having these pellets ready for me but you can find so if you know that it's an ode to realized wrong ability and you're gonna write notes you realize

in Google you're gonna get this type of payload so it's not that I write something new here and what I'm gonna do here is I'm gonna send this payload which you can see here what it does is require child person a child process exec so I'm going to run a child process inside the function and I'm gonna do eventually occur into my computer which is the anger that I just launched so far nothing related to server list rather than other than the function is a service function so when I send it I got it into my computer this curl request was launched from the container which in which the function runs so when I say

container I mean the the server less or the service provider runs a container one you call the applicator function runs a container run the code and then brings everything down and you don't have to deal with anything whether they're two containers just write the function right so first thing I just just realized that it's vulnerable now let's do some attack or some attacks related to server less so I'm going to take this the second

and here what I'm doing is I'm gonna take open another child process same destination my computer only this time I'm gonna do a tower so I'm gonna grab all the source code which locates in the current folder apart from the node models which I don't need basically for wrap them then tar.gz them and curl them to me of course there are hundreds of other ways to do that but this is an easy one so in serverless the code runs or the code is located inside the container because the service priority took this code loads it into memory and runs it so this is how it works that also means that if someone has access to

your environment then they can steal the source code fun so yeah I wrote this this request came in victim source let's see what is it what it has inside so right so this is the basics T for app I don't need that anymore so just let's just echo 864 decode into victim or jay-z right and then just open it and we have the index dot JSON side so this is the function code that runs in your background let's say let's call it so you can see that the file is protected protected with particular solution the the reason that things weren't blocked is because the function is on alert mode at the moment but that's not important

what we need to do is investigate the code now part of the fact that we now have some back-end code we can now trigger a more accurate attack against the function so if we look here we'll see the the brain of the of the bot in case it finds this it works it will answer like that etc but the more interesting thing is that here we can see the function or the part of the function that sends the messages back so if you can see here I have an API sorry an HTTP request to API chat post message of Stratcom this is the port and in order to respond to the right channel we have

all these environment variables here which are the channel the channel and the text itself and then the bot token and then the boat user and then the icon of the boat so these are all nice I cannot steal them like steal them because they are environment variable well I can but not like that but I can if I run the code inside the context of the func of the code then I can just use them so what I'm gonna do here is that no more curls I'm gonna the function rights into the slack right so why do I need curl anymore so what I'm gonna do here is I'm gonna have a third payload here I'm not gonna use a child process

because I don't need that anymore what I'm gonna do here is I'm gonna do a require HTTP so and then I'm gonna send a request to slack comm so I separated them just because slack would treat URLs in a different way so it will go and bring the image like Skype etc so I just split them so slack will not understand it's it's a URL but it doesn't really matter and then I'm gonna use the same variables so process and is the environment variables Channel and then the token and then the user and now I'm gonna launch this and you can see the icon here right this is the icon of the chat bot so when I run this I'm gonna

have a different icon for the slack but because I just switched the URL that the request be sent with and then I stole the original one so I can do the same thing with the channel and get the channel which is slack chat channel right that's the problem black Channel and I can do the same with the username which is also slack yet not really interesting but I can also do it with the token which I won't because I don't want you to copy it I'll say I'll set it with this so till now I just I read the code and then I managed to explain so think about it like that so now nothing really bad happened

because I'm talking with my own chat but if this chat the back end is a multi-tenant now I can interact with different users and write them write messages to them so if someone else installed much mice cells bought my slack chat bot and I can steal their data so now I showed you that the function has over promise or redundant permissions which allows it to do anything on the database which is the DynamoDB well in fact it only needs a pod item which is the right because the function only writes everything to the database why do it does it need a wild card it doesn't and let's see how I exploit that so that's gonna be the last

one for now sorry

right so there's a force payload again what I'm gonna do here is I'm gonna do a require AWS SDK so I'm gonna use the actual SDK of the provider require HTTP for it to send a request and then what I'm gonna do is I'm gonna do a dynamo D so this is part of the SDK right so it's a dynamo DB dot document client dot scan the scan is actually just get the data out of the database so scan everything and the table name is gonna be DynamoDB table which is an environment variable and then these things doesn't matter and then I'm gonna send everything back to slack like I did before and when I press

this I'm gonna see everything out of the DynamoDB database which is in this case you know we could prevent that if we could just give the function the put item permission then even if the attacker has done that we could prevent that just by changing the permissions right it's just like any other application if you can block the permission level then even if the attacker tries to exploit it it cannot so we could do that but we didn't so we came up we handed up with this this is a type of injection attack for server less so the attack is not new so everyone knows code injection right but the attack vectors are a little different

because here you have a few different vectors so first you can steal the source code if you're running the code and the second is you're gonna target you're gonna write a code that is related to your cloud provider so if I want to do I have I'd say I have a function that write it is funny so I told them don't interfere with the slack Channel they just replied it would be funny if we did yeah and that's actually funny so yeah so what I in the in that term I'm gonna attack the function and I'm not just gonna write PHP code or something else I'm gonna try and write a code that will go and look for resources inside the

cloud account so if you have DynamoDB or s3 bucket or SES SNS or any other resource like logs etc I'm gonna write an exploit that gonna that going to try and interact with these resources and then steal them just like I did here with DynamoDB scan right ok let's go back to the presentation all right right now that I know the sorry now that I know the how to interact with the slack I don't actually need to go need to go through the slack I can actually just curl to the slack API but it's nicer like that right so we see how we stole it okay so this was something called event injection I showed it it was

partially APA gateway so it's kind of a way that you understand but as I mentioned earlier you can trigger functions with nothing related to an API call so this was a REST API - sorry - my our API gateway but if a function is triggered for every email that is received it's enough that I will send an email and it will trigger the function now if the function doesn't do any validation on the code and it has some vulnerability maybe I can I will attack your function through the subject of the email which is new and it can happend and I haven't seen it in the wild because there isn't much of in the world

at this moment but I'm pretty sure we're gonna see it just like we saw on every other technology that came in someone said oh nice mobile now we don't need to deal with security right and then we had it all over again fun for us so it's gonna be pretty sure the same for civil is they're gonna do even better oh now we have the server less infrastructure we don't need to deal with security and then we add up with this so the first one is event injection again it could be maybe this is a good scenario that you probably saw somewhere where you interact with an application that allows you to upload file and you

get and a URL to upload the file to an s3 bucket to Amazon s3 bucket this is very very common also before the service so if the let's think about that if the bucket itself is configured in securely and is open I mean anyone can upload them I can maybe upload files which if malicious files which will trigger your error functions and I wrote a few example blogs about it how you can write malicious code or even in the file name if the function takes the file name and the file name is malicious you can actually get some cool attacks like that so I'm gonna do some go through some different attacks that we have in server

lists they're not specifically the first top ten but we're trying to establish that now I'll mention that later so another big issue that we have with server less is that so yeah every function is about from what we saw is about from three five let's say five lines of code to three hundred lines of code this is the average so three it's because it's called some other function it's just a wrapper or something so let's say something between 20 line of code to 300 lines of code that's it pretty much what each function does but in in order to be able to do that they need to bring out a lot of dependencies with them because right you cannot

really right so it's stateless so you cannot just get something from another way but you need the functions to be able to do this so you bring a lot and a lot of dependencies into your function your application and every function uses that this is a very big source for vulnerabilities so there are companies that does this vulnerability dependency check likes sneak or black duck which was acquired by synopsis and white source we also do that but there is an open database so the nice database that you can use the best ways to automate that of course open resources so as I mentioned if Nathalie bucket is open and you haven't figured it out someone can trigger your business logic

or your code without you knowing and this could be apart from the fact that if your s3 bucket is open anyone can just download the files that in it they can actually run code and let's see you probably know showdown for IOT that you go and search for open IOT so fun thing is there is one for cloud storage so you can it's called grey hat warfare and you can just go through thousands and thousands of open buckets people that either that did it intentionally or not and you can go it goes like without limits alright so you can just click on one and if there are files inside let's take another one Ruiz free so you can see all the file

inside right and you can just download them some of them are not oh yeah some of them are not there anymore some some of them are not sensitive but I just happen to this is a demo bug find some very funny and not funny files open yeah ok so we don't know what's inside but it's like show them so you can try your luck and there are hundreds of them or sorry one hundred and thousands and thousands of them that weren't supposed to be open so this is a big problem also there are ways to do few open an API REST API you can so the default of the REST API is without any authentication so it's good if it's

just a informational application or something but in many cases you just build up a function you and deploy a function and the default state of it is it's open no other indication whatsoever in any one can trigger your functions so you need to be aware about that as well over privileged function this is a very very big issue here that we saw what it can cause but the biggest challenge here is that so yeah we can really find gray in it so you think about it if you can really make all your function this list privileged it's it would really really decrease your attack surface but how do you do that for hundreds and thousands

of functions and you don't expect the developers to to own but to own the the permission I mean maybe you do in your organization level but the usual developers has no idea of what security is and this is why it's so fun for us and then how do you deal with it so again we believe you should automate it part of what we do is we scan your your code and we see what our API calls like service provider SDK API calls you are doing and then we match it with your permission and we say hey you only write to a dynamodb why do you need the wild card so the only way to do it is by

automated sensitive that explode exposure it's not new everything that indica is in the cloud is prone to you know the data is out there so you need to beware again sensitive data here will be a little different so for for one fact that the source code is an inside environment and you don't want people to steal your code oh another thing that when the function goes up it's a read-only file system that you don't control but there is a one folder is the temp folder which is the right has right privileged of the functions can write into it so you can so most of the data is written to that file at that folder and sometimes people think hey we just I

also said that right so the function goes write something to the slash temp folder and then the container dies right theoretically yes but and someone back then validated the 90a for that but they don't they die and then in order to keep your performance level like high to give you a high performance level they are not really dying and they just waiting for someone else to call your function not necessarily the next one and randomly land there so you cannot control who is gonna land on that container but someone will and might not if your function doesn't run for a while that eventually it will get killed but if someone is not if your function is or your code is

triggered more than once in four minutes that someone will land on the same container having the same file that you left behind and maybe steal them so you need to do some cleanup after your function runs right you now have wallet against denial of service so the attack here is different right the attack here is different so denial service you don't really attack the infrastructure right so I mean if you someone attack attacks us our application they really attacks the infrastructure providers or AWS or Azure so we don't care about it right but in order to prevent in our wallet because we pay for each call right so someone can just call I don't know

unlimited loop our api's and we are gonna pay maybe a few tens but assent for each but eventually it can grow up so in order to prevent in our wallet what we have the service providers allows us to do either a budget limit to the specific function or account so if so if H is $100 stop it or if you want you can have a limited concurrency for your function so you can say I want only 10 parallel calls to the specific to this function so I won't have a denial of wallet here but then of course it's a trade off because someone can just trigger your function repeatedly and no one will else will be

able to use your your function there is no real solution for that execution flow manipulation as I said the attacker can come from different weights so they can actually bypass part of the application flow it's more complicated now so I'll show you later how to interact with that to do to read about it it's a cure short space as I mentioned the slash tamp insufficient logging and monitoring these are just part of the top ten the original top ten and there are logging and monitoring of the of the cloud account but they are not just they can be visible to you but you need to know how to get them so it's not like someone is attacking your service and

someone will say hey someone is attacking your service no you need to go over logs like sock sock while or a type or uses other solution like us and then see that someone is actually attacking your of your your functions or your application and insecure secret management as I said if you can put if you put secrets into your code or your environment variables and someone land someone sort someone got can exploit your function they can steal it so you can maybe encrypt them so there this is another way to do that or you can use some other vault like solution that brings your your secrets in runtime right that's it what you can do about it

so first of course don't panic we talked a lot about it we really actually after all this talk I showed you yeah it's not secure but we actually believe that service could be the most secure infrastructure for your application our solution is also several s 100% service and I mean think about that you don't need to invest in operation system and patching or a Persian system security or patching on or anything you just need to be able to write secure code so yeah security goes a long way but you can limit it to secure code and then we I show I write a lot of blogs and webinars I'm doing about how to attack and how to

defend several applications so you can read about it just launched recently Oh a step service top ten we just released our first draft last week or sorry this week the first draft what it does it goes to the original OS top ten that hopefully most of you know I go one by one and I show how they defer when we go to service what are the new attack services how to identify security issues how do you protect against it because it's different Yukie I showed you one example so the attack and the attack vectors are different and the defense defenses different mechanisms are different so if you go and look and try to compare you

see that almost none of them are the same so same application but different techniques different attacks different defense techniques right thank you everyone any questions yeah

yeah so depends on your service provider AWS will allow you to integrate their API Gateway firewall so you can use that but it's only for API recalls and yeah if this is the question that this is the question then yeah you can use API Gateway firewall for that specific not all the service providers are having that has that solution and it all yeah so there are a lot of problems sorry one second a lot of problem with Google GCP also for example their current and they're going to change it soon but their current permission roles is one per application so no matter what you can do you can only give them one permission to all the functions in your

application and they're gonna have to all the abilities of all the rest of the function so certain AWS is that one step ahead of them but there are phases in keeping up with them yeah one second yeah we are

sorry I'm not sure I understood the question I also have death deaf so yeah

it's not possible unless your fault your whole application is really really small because they are limited in terms of how long they can run each function can run up to the depending again depends on the the the service provider it was up to five minutes now it could be it's a doubles just raise it to 15 minutes probably is it gonna increase but I'm not sure this is the right way to do that if you're going to do the service yeah sorry yeah what about it yeah of course you can use source codes static analysis and then you can fix your code but again it will really limit your it's just like any application do you think that if you

ran checkmarks we see very good about source code static analysis gonna make sure that you have no security issues in your application they can help really I'm just not sure that it's the only solution you have to do other things as well yeah all right nope yeah okay so there is no standard again if you're using only API gateway which is it's kind of common but not not for new companies that go there you can use their solution there are FBI firewall API Gateway firewall but behind that there is no other solution if your function is called from other things there is guarantee I mean there is no solution that the service provider will give you you need to either in your code

make sure you know what you're doing so validate it or run a solution like we provide which protects your function at runtime yeah yeah I mean that let's say that you're someone is trying to do some injections or attacks into your functions how do you get that from you don't have a control that looks for patterns over the networks because you don't own it so how do you know so you have a few ways to do that and the easiest one would be probably it easiest the technology was maybe not easiest like in doing that actually doing that because it's it's gonna be tough to find it it's going through the logs that you have certain log services so the a just

the cloud provider has log services that they give you and by default every function that you're right automatically writes to its specific log and you can then go to the log service and then try to find out that someone attacks you but it's hard to do it in real time if you have hundreds and hundreds of function running and invoking location repeatedly so how do you find it so you don't actually you don't find it so you need some someone to give you this insight so there are other solutions we're not the only one but we're the best any other question thank you everyone [Applause]