Apoorva Jois

Apoorva Jois
Apoorva is an OSCP certified security enthusiast with three years of experience in the field. Her primary areas of expertise are web application pentesting, API pentesting, network security and infrastructure security pentesting. She is currently employed as a Security Engineer at CRED, where she primarily focuses on Application Security and is also a pentester at Cobalt.io. She has been inducted into several Halls of Fame, including RedHat, Rackspace, KFC etc and is also an active member of Synack Red Team where she finds and reports vulnerabilities to various organizations.

Talk / Workshop

360-degree view of Lambda Security

AWS Lambda is a serverless, event-driven compute solution that allows you to run code for almost any form of application or backend service without having to provision or manage servers. Multiple AWS services and software as a service (SaaS) applications can trigger Lambda. All we need to do now is give the code, and the service will be up and running. As a result of these benefits, these days the majority of applications are created on a serverless architecture; yet,the security of these serverless applications is a concern because the attack surface is small, less traveled, and yet to be discovered.

Our research includes investigating secure ways of implementing AWS lambda architecture, automating the secure code analysis of AWS functions and its mitigations. Since Lambda supports a large number of runtime languages, developers can use it to create whole backend functionality while AWS handles the security. The core objective focuses on the flaws that might occur in lambda code, triggering lambda functions, overly permissive IAM roles, API gateway concerns, leveraging third-party dependencies, insufficient logging & monitoring and OWASP Server-less top 10. During our exploration, we also evaluated various open source tools and were inspired to create our own, which is still in the works. Our tool would run statistical analysis, SCA (Software Composition Analysis) and also detect lambda related vulnerabilities such as S3 bucket issues, overly permissive IAM roles, API gateway issues, and detect stale lambda functions.

To address the points raised above, we have come up with an automated solution that streamlines the entire process. The solution would utilize the ARN of the lambda function as an input to map out all of the AWS services it interacts with and identify any misconfigurations inside the AWS resources. The solution also performs a static code analysis on the lambda's code base to identify serverless top 10 vulnerabilities as well as native language issues such as expression language injection, JS injections, RCEs, deserialization vulnerabilities, and so on. Furthermore, it performs SCA (software composition analysis) to identify vulnerable dependencies used in the lambda application. The tool's output may then be utilized to create a robust user interface that shows a complete 360-degree security view of Lambda's in the AWS architecture.

In conclusion, the presentation will include a brief introduction to AWS lambda, static analysis of the lambda code & its secure implementation, lambda vulnerabilities (all the services that can affect the lambda application and OWASP Serverless Top 10) & its mitigations. Finally, the overall exercise should raise awareness about Lambda and its vulnerabilities, automate Lambda security to save time and effort, and provide in-depth visibility into Lambda's serverless security.

Subscribe and get our news and updates.