What Is Serverless Security?

Serverless security is the set of practices, programs, and technologies that organizations deploy to protect serverless computing architecture. In serverless computing, DevOps teams can write and deploy applications in cloud-native frameworks where the servers are managed by a cloud services provider. A serverless architecture allows developers to remain focused on writing code while the cloud provider is responsible for provisioning and maintaining the servers used for application development. Serverless security requires a shift in the way organizations view application security, and a fresh approach to controlling access and protecting data and functions.

Serverless architecture is a cloud computing model that enables organizations and software development teams to build and run applications without worrying about managing the back-end services and underlying server infrastructure. While serverless architecture still uses servers, the server and infrastructure management is performed by a cloud services provider. This allows developers to focus more time and energy on releasing applications and services faster. Serverless computing allows organizations to access back-end services on an as-needed basis, paying only for the amount of resources they use.

• Injection. Event data injection happens when unreliable input is delivered straight to an interpreter for execution or evaluation without determining if the input is malicious.
• Overprivileged functions. Because each function in a serverless application has its own roles and permissions, serverless applications are often granted excessive privileges that may be compromised by malicious actors.
• Misconfiguration. When settings in a serverless framework are not properly configured, the environment may be subject to denial-of-service attacks.
• Broken authentication. Broken authentication allows attackers to exploit weaknesses in authentication mechanisms to gain unauthorized access to a serverless application, potentially leading to data breaches, identity theft, or session hijacking.
• Insecure code. When code is not secure, it may introduce vulnerabilities that hackers can exploit to compromise the availability, integrity, or confidentiality of serverless applications and data.
• Larger attack surfaces. A serverless framework encompasses a variety of input and event sources, including HTTP, APIs, IoT device connections, and cloud storage. Because some aspects of these sources may contain untrusted message formats, the size of the attack surface can be significantly expanded.
• Dependencies. Third-party dependencies introduce risk by creating a larger attack surface that’s beyond an organization’s control. These may include dependencies on libraries, frameworks, or modules that, when exploited by an attacker, may provide access to sensitive data or resources.

Additional top threats as identified by the Open Worldwide Application Security Project (OWASP) include:

• Insecure Serverless Deployment Configuration
• Inadequate Function Monitoring and Logging
• Insecure Application Secrets Storage
• Denial of Service & Financial Resource Exhaustion
• Serverless Business Logic Manipulation
• Improper Exception Handling and Verbose Error Messages
• Obsolete Functions, Cloud Resources and Event Triggers
• Cross-Execution Data Persistency

A move to serverless architecture requires a corresponding shift in how cybersecurity teams think about cloud security and application security. Traditional tools like firewalls, intrusion detection systems, or runtime application self-protection (RASP) are of little help in protecting an application that consists of a variety of distributed cloud services.

• Maintaining strong access control through identity and access management (IAM). IT teams must use strong passwords and maintain least-privilege access for all serverless functions and other services. Users, applications, and processes should only be granted the absolute minimum permission required to perform a task. For instance, when an AWS Lambda function requests access to a DynamoDB table, it must be granted permission only to perform the specific tasks required by the business logic, rather than being granted broad access to the service environment. Additionally, the practice of least privilege should also apply to users.
• Scanning for vulnerabilities. Frequent and regular scans for configuration errors, overly permissive roles, and third-party dependencies can help to ensure the security of serverless applications.
• Using runtime protection. Runtime protection can help IT teams uncover malicious event inputs and limit the ability of each function to access files, hosts, and the internet.
• Encrypting data in transit and at rest. Encrypting sensitive data ensures that data in transit cannot be intercepted or read by unauthorized users. Encrypting data at rest protects data from authorized access by attackers or insiders with access to databases and storage systems.
• Monitoring and logging functions. Real-time monitoring can help IT teams quickly detect anomalies and suspicious activity in a serverless environment where components scale and react to events dynamically. By keeping a centralized log of activity, teams can aggregate logs from different sources to streamline incident response and trace the origin and nature of threats.
• Deploying an API gateway. As a reverse proxy, an API gateway provides extra security defenses by creating distinct separation between users and functions.
• Creating timeouts for functions. By setting a timeout limit for functions, IT teams can stop malicious actors from executing denial-of-service attacks or exploiting vulnerabilities. Timeouts can also prevent other security problems like memory leaks and infinite loops.
• Looking beyond web security solutions and web application firewall protection. Since web application firewalls (WAFs) only inspect web traffic, this technology can’t protect against event trigger types like notifications from IoT devices, code modifications, database changes, or cloud storage events.