Attending this event?
The Open Web Application Security Project (OWASP) Los Angeles Chapter has teamed up with the Orange County, Inland Empire, San Diego, and San Francisco Bay Area chapters to bring you another great AppSec California. Join us and your peers for amazing talks and networking on January 22-25, 2019!
View analytic
Wednesday, January 23 • 9:00am - 5:00pm
Attacking and Defending Containerized Apps and Serverless Tech [Day 2 of 2]

Sign up or log in to save this to your schedule and see who's attending!

Course Abstract

With Organizations rapidly moving towards micro-service style architecture for their applications, container and serverless technology seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications. Serverless and Orchestration technologies like Kubernetes help scale such deployments to a massive scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.
Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. While container orchestrated deployments may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, shared kernel, shared resources, secret management, insecure configurations, role management issues and many more! Serverless deployments, on the other hand face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage. Attacking an infrastructure or Applications leveraging containers and serverless technology requires specific skill-set and a deep understanding of the underlying architecture.

Training Syllabus

Day 1:

Evolution to Container Technology and Container Tech Deep-Dive

* Introduction to Container Technology
* Namespace
* Cgroups
* Mount
* Hands-on Lab: Setting up a Minimal Container

Introduction to Containerized Deployments: Understanding and getting comfortable using Docker

* An Introduction to containers
* LXC and Linux Containers
* Introducing Docker Images and Containers
* Deep-dive into Docker
* Docker Commands and Cheatsheet
* Hands-on:
* Docker commands
* Dockerfile
* Images
* Docker Compose
* Introduction to docker-compose
* Hands-on:
* Docker-compose commands
* Application Deployment Using docker
* Hands-on
* Containerize the application
* Deploying a containerized application
* Deploy a containerized application using docker-compose

Threat Landscape: An Introduction to possible threats and attack surface when using Containers for Deployments

* Threat Model for Containerized Deployments
* Daemon-related Threats
* Network related Threats
* OS and Kernel Threats
* Threats with Application Libraries
* Threats from Containerized Applications
* Traditional Threat-Modelling for Containers with STRIDE
* Spoofing
* Tampering
* Repudiation
* Information Disclosure
* Denial of Service
* Elevation of privileges

Attacking and Securing Containers

* Attacking Containers and Containerized Deployments
* Hands-on
* Container Breakout
* Exploiting Insecure Configurations
* OS and Kernel level exploits
* Trojanized Docker image
* Container Security Deep-Dive
* Hands-on
* AppArmor/SecComp
* Restricting Capabilities
* Analysing Docker images
* Container Security Mitigations
* Hands-on: Container Vulnerability Assessment
* Clair
* Dagda
* Anchore
* Docker-bench

Introduction to Kubernetes

* Understanding Kubernetes Components and Architecture
* Hands-on:
* Exploring Kubernetes Cluster
* Deploying application to Kubernetes

Day 2:

Attacking Kubernetes Cluster

* Kubernetes Threat Model
* Hands on:
* Attacking application deployed on Kubernetes
* Exploiting a Vulnerable Kubernetes cluster

Kubernetes Security Deep-Dive

* Kubernetes Security Mind-Map
* Hands-on: Ideal Security Journey: Kubernetes
* Pod Security
* Access Control
* Secret Management
* Hands-on: Kubernetes Vulnerability Assessment
* Kube-sec
* Kube-hunter
* Kube-bench
* Hands-on: Logging and Monitoring
* Resource utilization
* Malicious behavioral activity monitor

Serverless Introduction

* Understanding Serverless and FAAS (Function-As-A-Service)
* Introduction to AWS Lambda and other Serverless options
* Hands-on: Deploying a Serverless application

Attacking Serverless applications

* OWASP-Top 10 for Serverless Applications
* Hands-on: Attacking Serverless applications
* Injection based attacks
* Broken authentication attack
* Deserialization attacks
* Securing Serverless applications
* Identity and Access Management
* Secret management
* Logging and Monitoring Functions
* Hands-on: Serverless Vulnerability Assessment
* Static Code Analysis [SCA]
* Static Application Security Testing [SAST]
* Dynamic Analysis Security Testing [DAST]

Upon completion of this training, attendees will know:

* Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture that attendees will be able to understand.
* This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments.
* Training will be extremely hands-on with exercises that are similar to real-world threat scenarios that the attendees will understand and take part in. This will help them understand all there is to attack and secure containerized and, serverless applications.
* On completion, attendees will also understand ways attack and securely deploy on Container Orchestration technology like Kubernetes and on Serverless.

Attendees should bring:

Minimum Laptop Requirements:

* Intel i5 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work.
* Minimum 80GB HDD space available
* Working WiFi adapter with ability to connect to third party wireless networks
* User must be able to use the USB port of the laptop to copy, install and run the Virtual Machine, which will be delivered in a USB Mass Storage Device (Flash Drive).
* Soft copy of the Slides and the VMs will be given to participants on a USB Flash Drive that will be formatted with the NTFS format.
* Please download and install the latest installation of Oracle VM VirtualBox
* We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization
--- You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu.
* Guide to enable virtualization: https://www.google.com/amp/s/www.howtogeek.com/213795/how-to-enable-intel-vt-x-in-your-co mputers-bios-or-uefi-firmware/amp/
* A valid AWS account with paid/free-tier access to Lambda with permission to deploy and run lambda applications will be necessary.

Pre-requisites for attendees:

1. Students should have a basic understanding of Linux environment and know their way around the terminal.
2. A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful

avatar for Abhay Bhargav

Abhay Bhargav

CTO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →
avatar for Nithin Jois

Nithin Jois

Solutions Engineer who specialises in DevSecOps, We45
Nithin Jois is a Solutions engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production... Read More →

Wednesday January 23, 2019 9:00am - 5:00pm
Terrace Lounge
Feedback form isn't open yet.