The Open Web Application Security Project (OWASP) Los Angeles Chapter has teamed up with the Orange County, Inland Empire, San Diego, and San Francisco Bay Area chapters to bring you another great AppSec California. Join us and your peers for amazing talks and networking on January 22-25, 2019!
Back To Schedule
Tuesday, January 22 • 9:00am - 5:00pm
Attacking and Defending Containerized Apps and Serverless Tech [Day 1 of 2]

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Course Abstract

With Organizations rapidly moving towards micro-service style architecture for their applications, container and serverless technology seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications. Serverless and Orchestration technologies like Kubernetes help scale such deployments to a massive scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.
Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. While container orchestrated deployments may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, shared kernel, shared resources, secret management, insecure configurations, role management issues and many more! Serverless deployments, on the other hand face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage. Attacking an infrastructure or Applications leveraging containers and serverless technology requires specific skill-set and a deep understanding of the underlying architecture.

Training Syllabus

Day 1:

Evolution to Container Technology and Container Tech Deep-Dive

* Introduction to Container Technology
* Namespace
* Cgroups
* Mount
* Hands-on Lab: Setting up a Minimal Container

Introduction to Containerized Deployments: Understanding and getting comfortable using Docker

* An Introduction to containers
* LXC and Linux Containers
* Introducing Docker Images and Containers
* Deep-dive into Docker
* Docker Commands and Cheatsheet
* Hands-on:
* Docker commands
* Dockerfile
* Images
* Docker Compose
* Introduction to docker-compose
* Hands-on:
* Docker-compose commands
* Application Deployment Using docker
* Hands-on
* Containerize the application
* Deploying a containerized application
* Deploy a containerized application using docker-compose

Threat Landscape: An Introduction to possible threats and attack surface when using Containers for Deployments

* Threat Model for Containerized Deployments
* Daemon-related Threats
* Network related Threats
* OS and Kernel Threats
* Threats with Application Libraries
* Threats from Containerized Applications
* Traditional Threat-Modelling for Containers with STRIDE
* Spoofing
* Tampering
* Repudiation
* Information Disclosure
* Denial of Service
* Elevation of privileges

Attacking and Securing Containers

* Attacking Containers and Containerized Deployments
* Hands-on
* Container Breakout
* Exploiting Insecure Configurations
* OS and Kernel level exploits
* Trojanized Docker image
* Container Security Deep-Dive
* Hands-on
* AppArmor/SecComp
* Restricting Capabilities
* Analysing Docker images
* Container Security Mitigations
* Hands-on: Container Vulnerability Assessment
* Clair
* Dagda
* Anchore
* Docker-bench

Introduction to Kubernetes

* Understanding Kubernetes Components and Architecture
* Hands-on:
* Exploring Kubernetes Cluster
* Deploying application to Kubernetes

Day 2:

Attacking Kubernetes Cluster

* Kubernetes Threat Model
* Hands on:
* Attacking application deployed on Kubernetes
* Exploiting a Vulnerable Kubernetes cluster

Kubernetes Security Deep-Dive

* Kubernetes Security Mind-Map
* Hands-on: Ideal Security Journey: Kubernetes
* Pod Security
* Access Control
* Secret Management
* Hands-on: Kubernetes Vulnerability Assessment
* Kube-sec
* Kube-hunter
* Kube-bench
* Hands-on: Logging and Monitoring
* Resource utilization
* Malicious behavioral activity monitor

Serverless Introduction

* Understanding Serverless and FAAS (Function-As-A-Service)
* Introduction to AWS Lambda and other Serverless options
* Hands-on: Deploying a Serverless application

Attacking Serverless applications

* OWASP-Top 10 for Serverless Applications
* Hands-on: Attacking Serverless applications
* Injection based attacks
* Broken authentication attack
* Deserialization attacks
* Securing Serverless applications
* Identity and Access Management
* Secret management
* Logging and Monitoring Functions
* Hands-on: Serverless Vulnerability Assessment
* Static Code Analysis [SCA]
* Static Application Security Testing [SAST]
* Dynamic Analysis Security Testing [DAST]

Upon completion of this training, attendees will know:

* Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture that attendees will be able to understand.
* This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments.
* Training will be extremely hands-on with exercises that are similar to real-world threat scenarios that the attendees will understand and take part in. This will help them understand all there is to attack and secure containerized and, serverless applications.
* On completion, attendees will also understand ways attack and securely deploy on Container Orchestration technology like Kubernetes and on Serverless.

Laptop Requirements
 * Intel i5 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work.
* Working WiFi adapter with ability to connect to third party wireless networks

Lab Requirements
* We have created cloud labs for all the exercises and labs of the program to work. You will need a terminal program to SSH into the remote lab environments. These programs should work fine: Mac OSX => ITerm2 or Terminal (no need to install), Windows => Putty or Cygwin, Linux => Terminal (no need to install anything else)

* Since AppSecCali doesn't provide wifi, we are carrying our WiFi for the labs. Nevertheless, as a backup, we are still carrying VMs for the lab environments that we will be running. Please download and install the latest version of Oracle VM VirtualBox (https://www.virtualbox.org/). We have prepped the images to run in VirtualBox 6.0 (latest).
* In the event the wifi is unreliable, we will be carrying USB flash drives with the VMs which you can use to run the labs. You will need to have cables/adapters to copy from USB flash drives to your laptop. You will also need the requisite permissions and privileges to copy and install software on your laptop. Please be sure of this before you come in for the class, as we will not be able to help you with this in class.
* If you are running VMs on a Mac, it's typically problem-free. However, if you are running Windows Host OS, you will need to check the following:
* Enable Virtualization in the BIOS => https://bit.ly/2oygJ1H * Disable Hyper-V => https://bit.ly/2ABwrxL * 50GB free space on HDD for VM(s)

avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework.  He has created some pioneering... Read More →
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →

Tuesday January 22, 2019 9:00am - 5:00pm PST
Garden Terrace Room