Kajal Nair

Kajal Nair
Kajal Nair is a OSWE certified Security Engineer at CRED who has been involved in the security community for nearly 4 years. She enjoys going through thousands, if not millions, of lines of code in order to find flaws in the source code. In her eyes, every line of code she writes is a work of art, which drew her to examine the code, break it, and help fix it, as well as build tools to assist her.

Talk / Workshop

360-degree view of Lambda Security

AWS Lambda is a serverless, event-driven compute solution that allows you to run code for almost any form of application or backend service without having to provision or manage servers. Multiple AWS services and software as a service (SaaS) applications can trigger Lambda. All we need to do now is give the code, and the service will be up and running. As a result of these benefits, these days the majority of applications are created on a serverless architecture; yet,the security of these serverless applications is a concern because the attack surface is small, less traveled, and yet to be discovered.

Our research includes investigating secure ways of implementing AWS lambda architecture, automating the secure code analysis of AWS functions and its mitigations. Since Lambda supports a large number of runtime languages, developers can use it to create whole backend functionality while AWS handles the security. The core objective focuses on the flaws that might occur in lambda code, triggering lambda functions, overly permissive IAM roles, API gateway concerns, leveraging third-party dependencies, insufficient logging & monitoring and OWASP Server-less top 10. During our exploration, we also evaluated various open source tools and were inspired to create our own, which is still in the works. Our tool would run statistical analysis, SCA (Software Composition Analysis) and also detect lambda related vulnerabilities such as S3 bucket issues, overly permissive IAM roles, API gateway issues, and detect stale lambda functions.

To address the points raised above, we have come up with an automated solution that streamlines the entire process. The solution would utilize the ARN of the lambda function as an input to map out all of the AWS services it interacts with and identify any misconfigurations inside the AWS resources. The solution also performs a static code analysis on the lambda's code base to identify serverless top 10 vulnerabilities as well as native language issues such as expression language injection, JS injections, RCEs, deserialization vulnerabilities, and so on. Furthermore, it performs SCA (software composition analysis) to identify vulnerable dependencies used in the lambda application. The tool's output may then be utilized to create a robust user interface that shows a complete 360-degree security view of Lambda's in the AWS architecture.

In conclusion, the presentation will include a brief introduction to AWS lambda, static analysis of the lambda code & its secure implementation, lambda vulnerabilities (all the services that can affect the lambda application and OWASP Serverless Top 10) & its mitigations. Finally, the overall exercise should raise awareness about Lambda and its vulnerabilities, automate Lambda security to save time and effort, and provide in-depth visibility into Lambda's serverless security.

Subscribe and get our news and updates.