With developers more empowered than ever and infrastructure abstracted away, what is the new role of application security?
We sat down with Amit Klein, who is considered by many to be one of the founding fathers of modern application security, to talk about how the move to serverless architectures, microservices, and heavy reliance on cloud services, are changing the application security world.
First, a bit about Amit:
Amit Klein is a world renowned information security expert, with 28 years in information security and over 30 published technical and academic papers on the topic. Amit is currently VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was CTO at Trusteer (acquired by IBM) for 8.5 years. Before that Amit was chief scientist for Cyota (acquired by RSA), and director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division). Amit also serves as an academic researcher, working with Prof. Benny Pinkas at Bar-IIan university, and advises multiple cybersecurity startups and VCs.
Amit was my boss and mentor in the early days of web application firewalls, together we published some of the most cutting edge application security research and developed unique industry leading solutions.
Amit has a B.Sc. from the Hebrew University in Mathematics and Physics (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at BlackHat USA, DefCon, NDSS, InfoCom, DSN, HITB, RSA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.
I don’t know about you but I’m starting to feel bad about my own accomplishments. In any case, Amit has seen the evolution of software development practices and application security, and had some interesting thought about how they affect each other.
Developers are incredibly empowered nowadays, and in many ways, they’re the ones “calling the shots” by deploying straight to the cloud without having to rely on IT for infrastructure services. How does that change the IT security world?
Technology-wise, I don't think this is a revolutionary step - in my opinion it's more of an evolutionary step. Developers started calling the shots (in the web development world, at least) over two decades ago, when they first deployed web applications to web servers. At that moment, you could say that the security guys “lost control”, because they can't control the (possibly insecure) code.
Sure - soon enough web application firewalls and web application scanners started popping up (and the two of us share the blame for a lot of this...), but by deploying these post-factum solutions (with their inherent shortcomings) didn’t mean IT security gained full control over the situation. Going serverless, is simply the next logical step of "losing control" over the infrastructure and the hosts as well.
I think what we learn here is that security should be applied closer to the application. Ideally, security should be interwoven into the application from day one. So back to the question at hand - I think the IT security world is going to change drastically, by moving much closer to the application. I expect we'll see products that better understand applications, how they interact, and how to inherently secure them, and IT security personnel will need to adapt to a new situation wherein their added value will be in tailoring such solutions, rather than managing servers, networks and images.
What are your thoughts about application security in a world where you no longer control the underlying infrastructure and cloud services are the new “back-end”?
In general I think there's a lot of studying to be done with respect to serverless security, partly due to the fact that the landscape right now is still in its early days. For example, it is often mentioned that the fact serverless instances are short lived has the side effect of improving security (as it reduces the persistence of malicious code), but on the other hand, there's a move toward longer lived instances in order to improve performance (reduce lead time). So there is actually no guarantee as to the lifetime duration of a serverless instance, which is actually the worst case from a security analysis standpoint.
I guess at some point, guarantees and specifications will become available as offerings crystalize. This is but one trivial example, of course. I can think of more sophisticated issues, such as persistency at large, running malicious code, etc. The analogy I have in mind is the endless "war" in the operating systems. When DEP (Data Execution Prevention) defense was introduced to counteract buffer overflow attacks, security researchers came up with a way to circumvent this security measure - they invented ROP (Return Oriented Programming). That war rages on, and the moral of the story is that new technology (security or otherwise) breeds new attacks (and new defenses, and new circumvention techniques, ad infinitum).
Micro/nano services architecture poses an interesting challenge, but also an opportunity, for application security. On one hand, some security measures (e.g. automatic/manual code reviews) can turn into a nightmare, simply because the logic is spread over so many files, servers, etc., with some of it probably not even available for review (3rd party services). On the other hand, I think there's a unique opportunity in this breaking down of logic into multiple small services, which is that if one monitors all service/lambda invocations, one gets a very detailed view of the execution flow, which can be a boon for security enforcement and is something that was very hard to acquire for the more monolithic "traditional" applications.
Regarding cloud services as the new back-end, in general I think it's great, because like so many other things, if I can have someone else to do them for me, while I focus on the things I do best, I'll take this path any day of the week. Of course, I need to trust the cloud service to be an expert, and to treat security professionally, and I suppose that eventually there will be some ranking or certification to go along with such services to show that they pass at least some minimum requirements.
There is one downside to it, which is that it makes the cloud service providers even a greater target, i.e. if someone can penetrate into their servers (either via a cyber attack, or via legal means), then the attacker wins a much bigger jackpot than anything I can think of today. I'm not sure what the solution to this problem is, really. Encryption at rest isn't much of a help, because an attacker can inject malicious code into the database process that can read the decrypted data. I suppose a paranoid solution can be to use data from two cloud services, such that the data from each one is meaningless, and only the combination of data reveals meaningful information, but this has some serious drawbacks e.g. around record order and search.
Any additional thoughts about serverless security?
One thing I noticed when I analyzed several (simple!) serverless applications, is how their event-driven nature makes it difficult to analyze them (security-wise). Again, I compare serverless apps to monolithic apps. I claim that human beings are geared towards linear flow (one thing leads to another in a well prescribed manner), which is what most traditional applications implement. Serverless applications, however, are event-driven by nature, which means they are invoked by an event, and they can submit/deposit their own event(s) and die. The thing is, understanding what potential events they need to handle, what other lambdas produced them, in response to which events that happens, etc. soon becomes mind boggling, even for a modest-sized application. This is why I expect that large serverless applications will exhibit logical security flaws due to "unexpected" sequence of events that can be forced upon the application by an attacker.