Course AbstractWith Organizations rapidly moving towards micro-service style architecture for their applications, container and serverless technology seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications. Serverless and Orchestration technologies like Kubernetes help scale such deployments to a massive scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.
Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. While container orchestrated deployments may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, shared kernel, shared resources, secret management, insecure configurations, role management issues and many more! Serverless deployments, on the other hand face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage. Attacking an infrastructure or Applications leveraging containers and serverless technology requires specific skill-set and a deep understanding of the underlying architecture.
Training SyllabusDay 1:
Evolution to Container Technology and Container Tech Deep-Dive
* Introduction to Container Technology
* Namespace
* Cgroups
* Mount
* Hands-on Lab: Setting up a Minimal Container
Introduction to Containerized Deployments: Understanding and getting comfortable using Docker
* An Introduction to containers
* LXC and Linux Containers
* Introducing Docker Images and Containers
* Deep-dive into Docker
* Docker Commands and Cheatsheet
* Hands-on:
* Docker commands
* Dockerfile
* Images
* Docker Compose
* Introduction to docker-compose
* Hands-on:
* Docker-compose commands
* Application Deployment Using docker
* Hands-on
* Containerize the application
* Deploying a containerized application
* Deploy a containerized application using docker-compose
Threat Landscape: An Introduction to possible threats and attack surface when using Containers for Deployments
* Threat Model for Containerized Deployments
* Daemon-related Threats
* Network related Threats
* OS and Kernel Threats
* Threats with Application Libraries
* Threats from Containerized Applications
* Traditional Threat-Modelling for Containers with STRIDE
* Spoofing
* Tampering
* Repudiation
* Information Disclosure
* Denial of Service
* Elevation of privileges
Attacking and Securing Containers
* Attacking Containers and Containerized Deployments
* Hands-on
* Container Breakout
* Exploiting Insecure Configurations
* OS and Kernel level exploits
* Trojanized Docker image
* Container Security Deep-Dive
* Hands-on
* AppArmor/SecComp
* Restricting Capabilities
* Analysing Docker images
* Container Security Mitigations
* Hands-on: Container Vulnerability Assessment
* Clair
* Dagda
* Anchore
* Docker-bench
Introduction to Kubernetes
* Understanding Kubernetes Components and Architecture
* Hands-on:
* Exploring Kubernetes Cluster
* Deploying application to Kubernetes
Day 2:
Attacking Kubernetes Cluster
* Kubernetes Threat Model
* Hands on:
* Attacking application deployed on Kubernetes
* Exploiting a Vulnerable Kubernetes cluster
Kubernetes Security Deep-Dive
* Kubernetes Security Mind-Map
* Hands-on: Ideal Security Journey: Kubernetes
* Pod Security
* Access Control
* Secret Management
* Hands-on: Kubernetes Vulnerability Assessment
* Kube-sec
* Kube-hunter
* Kube-bench
* Hands-on: Logging and Monitoring
* Resource utilization
* Malicious behavioral activity monitor
Serverless Introduction
* Understanding Serverless and FAAS (Function-As-A-Service)
* Introduction to AWS Lambda and other Serverless options
* Hands-on: Deploying a Serverless application
Attacking Serverless applications
* OWASP-Top 10 for Serverless Applications
* Hands-on: Attacking Serverless applications
* Injection based attacks
* Broken authentication attack
* Deserialization attacks
* Securing Serverless applications
* Identity and Access Management
* Secret management
* Logging and Monitoring Functions
* Hands-on: Serverless Vulnerability Assessment
* Static Code Analysis [SCA]
* Static Application Security Testing [SAST]
* Dynamic Analysis Security Testing [DAST]
Upon completion of this training, attendees will know:
* Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture that attendees will be able to understand.
* This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments.
* Training will be extremely hands-on with exercises that are similar to real-world threat scenarios that the attendees will understand and take part in. This will help them understand all there is to attack and secure containerized and, serverless applications.
* On completion, attendees will also understand ways attack and securely deploy on Container Orchestration technology like Kubernetes and on Serverless.
Laptop Requirements * Intel i5 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work.
* Working WiFi adapter with ability to connect to third party wireless networks
Lab Requirements* We have created cloud labs for all the exercises and labs of the program to work. You will need a terminal program to SSH into the remote lab environments. These programs should work fine: Mac OSX => ITerm2 or Terminal (no need to install), Windows => Putty or Cygwin, Linux => Terminal (no need to install anything else)
* Since AppSecCali doesn't provide wifi, we are carrying our WiFi for the labs. Nevertheless, as a backup, we are still carrying VMs for the lab environments that we will be running. Please download and install the latest version of Oracle VM VirtualBox (
https://www.virtualbox.org/). We have prepped the images to run in VirtualBox 6.0 (latest).
* In the event the wifi is unreliable, we will be carrying USB flash drives with the VMs which you can use to run the labs. You will need to have cables/adapters to copy from USB flash drives to your laptop. You will also need the requisite permissions and privileges to copy and install software on your laptop. Please be sure of this before you come in for the class, as we will not be able to help you with this in class.
* If you are running VMs on a Mac, it's typically problem-free. However, if you are running Windows Host OS, you will need to check the following:
* Enable Virtualization in the BIOS =>
https://bit.ly/2oygJ1H * Disable Hyper-V =>
https://bit.ly/2ABwrxL * 50GB free space on HDD for VM(s)