When you go serverless, you don’t have to worry about server security as you do with an application that runs on a server. But you and a serverless model will still have to work together to keep your app safe. Since it is a serverless architecture, you must use the best ways to protect and secure serverless apps. Organizations can do several things to ensure their serverless applications are secure, but here are ten of the most important ones.
Avoid Relying Exclusively on WAF Protection
Since application layer firewalls can only look at HTTP(s) traffic, a WAF will only protect functions triggered by an API Gateway. It won’t protect you from other types of event triggers, and it won’t help if your functions are triggered by different types of events, such as:
- Notifications (IoT, SMS, and Emails)
- Code adjustments (AWS CodeCommit)
- Changes to a database (AWS CosmosDB, Azure DynamoDB)
- Stream data analysis (AWS Kinesis)
- Events in the cloud storage (Azure Blob Storage, Google Cloud Storage, and AWS S3)
Use the Custom Function Permissions feature.
It is a fact that more than 90% of permissions in serverless apps are too high. Even though setting up permissions for serverless app function levels can be hard, you shouldn’t use a one-size-fits-all method. Setting policies and functions that allow more freedom is a popular serverless security mistake. If individual permissions and feature roles are not kept to a minimum, the attack surface is bigger than it should be.
Your DevSecOps team needs to meet with the developers who wrote the functions to discuss each one’s purpose and ensure it has the right permission level. Once you know what each function is for, you can make a permission policy and role for each function that fits its needs. The great news is that you can automate the process with several tools.
Perform a Code Audit.
Black Duck Software looked at 1,000 of the most common business applications and found that 96% use open-source software. The researchers also found that 60% of that software had security holes, some of which had been there for more than four years.
Because you can’t trust something that isn’t yours, this made code possession and authenticity a major security risk. It’s called “Poisoning the Well” because attackers use an upstream attack to make changes to your application last longer. Cloud-based applications have many libraries and modules, some others modules.
This is why a single serverless function may have thousands of lines of code from different sources. Attackers want to put their bad code into common projects, and once they’ve done that, they wait patiently for the newer version to take over their cloud apps. A code security audit is necessary if you want to improve AWS security.
Keep control of your functions.
Even though it sounds like a utopian dream, careful CI/CD can help make code less vulnerable to bugs. Malicious functions can get in several ways, such as when a bad employee uses them. Attackers usually go after developer desktops instead of the already running apps because that lets them put malicious functions in apps through normal channels.
These functions can cause trouble if they are put in without being noticed. To make sure this doesn’t happen, you must devise a strategy and policy to analyze the code during the build before it goes live and ensure that every function has been through CI/CD.
Monitor All Attack Indicators
Serverless architecture makes it harder to see what’s happening because it increases resources and information. This makes it more difficult for DevSecOps and security groups to make sense of all the information. As the number of features increases, it gets harder to tell if everything is working as it should.
Only a few hundred functions can create billions of events in your log daily, making it hard to tell which ones are important. Even if you know the attack patterns special to serverless apps, you can’t scan them. It would help if you had AI tools to improve serverless security, effectiveness, and visibility.
Set a timer for your functions.
All functions should have a tight runtime profile, but it’s not simple to figure out how to set the right timeouts for serverless functions. The function itself can set the maximum time a function can run. DevSecOps teams must consider the difference between the configured timeout and the actual timeout. Most activities related the timeout to the most time that can be used since the time that isn’t used doesn’t cost anything.
But this method could be a huge security risk because if an attacker can inject code, they have much more time to do damage. When timeouts are shorter, they can attack with greater frequency, called a “Groundhog Day” attack. However, this makes the attack more obvious. As a best practice for serverless security, you should stop your functions after a certain amount of time.
When deploying app modules, developers should remember that certain geographical factors could hurt serverless security. Code used in different places can cause problems with the code itself. In deployment settings, for example, a developer in New York uses the US-East-1 time zone, whereas a developer in Asia will use a completely different time zone.
In this case, the best way to deploy is to select a region or time zone that works well. You can also employ a safeguard when working with a serverless structure to avoid developing problems that come up out of the blue and to keep track of work dependencies.