Welcome to 2019. The year we will all understand that serverless is not a fleeting trend, but is here to stay. How am I so confident? That’s easy. All cloud providers are working extra hours to make sure we are aware of that. It was basically what AWS Re:Invent was all about.
But the providers aren’t doing that for nothing. Hundreds of companies are going serverless, and we’re only in its first steps. Among the very big list of companies that are using serverless in production, you can find Netflix, Fujifilm, Capital One, SkyScanner, Symantec, Trend Micro, VMware, Nordstrom, Aetna, Splunk, HSBC, Spotify, and Snapchat. You get the point.
Now, mix that with security and you get a big, uncharted territory. It’s not a special case for serverless applications. We had the same problems with every new technology coming into town. It’s exactly what happened when blockchain and containers were introduced.
I keep asking myself, how is it that we do not learn from past experience? They only rational reason I can come up with is a very simple one – money. It’s all about money. Why do we create new technologies? Of course different technologies serve different purposes. But almost every company that creates a new technology believes that it can profit.
Why do we not invest in security from the bottom-up? Money. It costs money to educate and it costs money to spend manpower on security. On the other side we have the hackers. Here. the motivation is the same. Yes, even white-hat hackers usually do this for personal reputation, which will hopefully land them a better job.
Why am I telling you this? The bottom line is: DVSA. But, let me explain first.
Let’s hope that you are still on the left side of the above GIF. You can come up with the scariest demo ever made, but unless they really understand the risks, you will probably have to move to the right part of the GIF to be able to convince them.
Hands-on, interactive education is the best way to explain something. This is why we created DVSA – a Damn Vulnerable Serverless Application. DVSA is a deliberately vulnerable tool aiming to be an aid for security professionals to test their skills in a legal environment, help developers better understand the processes of securing serverless applications, and to aid both students & teachers in learning about serverless application security in a controlled, classroom environment.
The aim of DVSA is to allow you to practice some of the most common serverless vulnerabilities, with a simple, straightforward interface. The application includes both documented and undocumented vulnerabilities. This is also to encourage people to discover as many issues as possible.
This tool is unique because it is the first to provide a real-world structure, which includes a variety of cloud resources, from functions to databases, simple storage, queues, email services and more. The application backend includes exposed and unexposed functions, administrative back-office, and mock external-APIs as well as a modern front-end which also includes real authentication and email interaction with its users.
This vulnerable application contains the most common security risks, including over-privileged roles, insecure configurations, broken access control, vulnerable dependencies and many more, tailor-maid for a serverless-based application. You can attempt various attacks such as injection attacks (which are different than what we were used to) and DoS. DVSA enables serverless practitioners to try, investigate and learn almost everything they need to know about serverless application security.
The project is open-source and was donated to OWASP by Protego Labs. DVSA can be installed on your account with a few clicks, and is also available online, with limited vulnerabilities (for obvious reasons).
We just started 2019, and serverless is going to be a major peart of it, so don’t be left behind.
Happy New Year!