By 2025, Gartner predicts that half of all global enterprises will use serverless computing. That statistic marks a 20 percent increase from adoption rates today.
By going serverless, organizations recognize virtually limitless scalability, as well as reduced cost and time to market for building and integrating cloud-native applications. Despite these benefits, however, serverless architecture still raises many of the same security risks and challenges as on-premise servers, as well as some additional threats; namely Denial-of-Wallet attacks, over-privileged function permissions and insecure third-party software, to name a few.
According to Michael Mosher, a director of information security and privacy, technologies can and will change, but when it comes to security, there’s no substitute for the basics.
“The most important thing to remember is that serverless functions are still code,” Mosher said. “So the foundations of securing those functions start with the basics of secure coding.”
To that end, Mosher said engineers at OpenMarket, a text message campaign platform, focus on following secure coding practices, as well as reviewing and testing the code for flaws or vulnerabilities. Once the basics are covered, they turn to some of the nuances specific to cloud and serverless deployments, like secrets management and function attack surface.
What best practices does your team follow to secure your serverless deployments?
Paying attention to how inputs are sanitized and ensuring the least privilege — along with other secure coding practices — make sense regardless of how code is deployed and accessed. We also pay attention to how data is secured while it is being processed. Basic encryption at-rest and in-transit also make sense in a serverless deployment.
We review and test the code for flaws or vulnerabilities such as those listed in the Open Web Application Security Project (OWASP) Top 10 and the OWASP API Security Project. Finally, once the basics are taken care of, we can look at things that are more specific to cloud and serverless deployments, such as secrets management and function attack surface.
There is no substitute for starting with the basics.”
How did you familiarize your devs with both the risks of serverless and the practices that can minimize them?
We start with the basics to ensure a good baseline knowledge and awareness of secure coding practices and web application vulnerabilities. We also have engineers trained in security threat modeling. That experience helps them identify their own potential threats related to how their applications are designed and deployed in serverless platforms.
Many serverless computing platforms automatically scale as request volume increases. As a result, we had to ensure that our threat modeling incorporated Denial-of-Wallet scenarios where a malicious actor could repeatedly trigger a serverless function to cause excessive billing.
What advice do you have for other engineers concerned about security serverless risks?
At the risk of sounding like a broken record, there is no substitute for starting with the basics. Make sure that the code you deploy is secure at every point; from design, through coding and testing to deployment.
Out of that whole lifecycle, the unique aspects of a serverless architecture really show up in the design and deployment. Secure coding and security testing change very little from traditional web apps, and yet that is where teams will spend a significant amount of effort. To address what’s unique, a platform provider almost certainly has guidelines for how to best use their platforms securely. They have tools to manage and monitor the security of serverless functions.
There are also a number of traditional security platform providers adapting their products to be more cloud-native and cloud-aware so they can handle the unique aspects of serverless architectures. Some of those adaptations include web application firewalls, intrusion detection systems and security event and information management platforms.
