The Developer’s Guide to Serverless Security

Serverless computing brings a highly efficient way to deploy applications and run software on demand. Testament to that is the fact that serverless application adoption is increasing significantly over the years, with at least 1 in 5 organizations using FaaS (Function as a Service) in major Cloud providers such as Amazon, Azure & GCP.

While the cloud provider takes responsibility for the underlying infrastructure security in serverless applications, developers and ops teams have to ensure that proper security practices are followed for the application code, dependencies, and environment configurations.

While some challenges are common among both serverless and traditional applications such as vulnerabilities in code dependencies, others are unique to serverless applications due to their distributed nature. This blog will look into best practices for addressing those unique challenges and improving security when using serverless applications.

Limit and patch dependencies

Using a third-party library may be an easy way to speed up development for both serverless and traditional applications. However, using these libraries may introduce new security vulnerabilities to the application. Therefore, it is essential to use third-party libraries after proper evaluation.

If you are using third-party libraries in serverless applications, it’s important to follow strict guidelines when sourcing the library itself. The following criteria help to ensure that the libraries are reliable and safe in production applications:

1. Download and use libraries only from official sources.
2. Check for recent updates and security fixes; this indicates that the library is not dormant.
3. Check if the library is maintained regularly.
4. Try to stay away from crowdfunded libraries as security may not be its primary focus.
5. Check for reviews, ratings, and user feedback before selecting the library.
6. Check for any unresolved or open bugs and vulnerabilities in the library.
7. Only use the latest stable version of the library and avoid using pre-releases in production applications.

It is also crucial to keep a list of all the third-party libraries for every application with additional information such as the vendor, version, etc. This makes it easier to track and maintain the entire life cycle of each third-party library, from sourcing to retirement.

Besides, it is important to keep these libraries up to date and continuously test for vulnerabilities. One way to do this is by enabling automated updates for patches and minor updates of your libraries. This additional step in your build pipelines will help to enforce it by automating a periodic check-up after each build. This way, you can avoid the risk of critical vulnerabilities leaking into production.

Separate data from functions

Serverless applications use distributed components that communicate with each other, and this becomes a breeding ground for security misconfigurations to creep their way into the code or deployment.

One of the most common issues seen in serverless applications is sensitive information exposure. This may come in different forms, such as hard-coded credentials in the code or sensitive keys exposed due to misconfiguration. Therefore, the best method is to introduce a preventive measure that can scan and detect sensitive information that may be potentially hard-coded or publicly exposed.

You can use tools like Spectral to continuously scan and monitor known and unknown assets of an organization from the development stage to detect any of these common security holes. It also allows scanning GitHub, GitLab, Dockerhub, and other public assets to uncover security blind spots.

Make authentication harder to penetrate

Broken authentication has been identified as one of the most common security flaws in applications and listed in the OWASP Top 10 in 2017 through 2021. This vulnerability makes the application susceptible to attacks against authentication where an attacker can gain unauthorized access. These vulnerabilities vary from allowing credentials brute force attacks, allowing weak or default passwords, not validating session IDs, etc.

Resolving these issues may be a tedious task, but following these steps will help developers provide a solid foundation for securing their web applications:

1. Where possible, implement multi-factor authentication.
2. Implement weak password checks.
3. Introduce robust password management policies to govern password length, complexity, and rotation.
4. Implement failed login limits and alert of possible credential brute force attacks to the application administrators.
5. Implement IAM best practices into the DevOps process.

In addition, you could leverage serverless identity providers such as AWS Cognito, Azure B2C, and Auth0 that provide pluggable authentication solutions to your application.

Get in-depth visibility into all of the functions within your serverless applications

Monitoring tools allow developers to gain insights into performance, errors, and other key metrics that help resolve issues within the application. However, native tools that come with the cloud platform may not entirely cater to your monitoring needs.

For example, most of these tools are limited to monitoring and discovering security blind spots and shadow assets and mitigating potential supply chain risks. This is where a dedicated and specialized tool like Spectral gives an edge over the native monitoring tools.

Spectral allows developers to quickly gain in-depth visibility into potential vulnerabilities present within the code. By integrating your existing code repository, Spectral can detect common misconfigurations and vulnerabilities in minutes.

In addition, the product allows you to take detection to the next level by customizing the detection patterns, thus allowing you to detect organization or industry-specific sensitive information.

Gaining visibility over the security of all of your applications

It should be every developers’ goal to become comfortable with the current security postures of all of their applications. So developers need to consider a mixture of traditional security solutions and newer and more advanced solutions that are specifically designed to defend serverless applications.

If you’re aim is to stay on top of security loopholes with in-depth visibility that traditional security solutions fail to cover, while improving compliance with global standards such as GDPR and HIPAA, book a free demo to see how Spectral can help by being a part of your next big development project.