Security Considerations and Best Practices for Securing Serverless Architecture

Serverless computing simplifies the process to build agile applications with the flexibility to use it in conjunction with micro-services, which have transformed the way organizations approach the application build cycle. Besides, excessive hype related to serverless via microservices has pushed the industry to adopt a binary approach to application decomposition (all microservices or none) rather than adopting a more pragmatic and risk effective multi-grained service model.

A serverless service primarily uses a deployment infrastructure that abstracts or hides any concept of servers (i.e. reserved or preallocated resources) physical or virtual hosts, or containers. The deployment infrastructure can be a utility also operated by a public cloud provider.

The underlying infrastructure takes the service’s code and executes it and subscribers are charged for each request based on the resources consumed. It can typically use either containers, Kubernetes, or leverage virtual machines to isolate the service. However, these details are abstracted.

Some key characteristics of serverless deployment include:

1. It uses certain events as triggers to deploy a program and principally use platform services​.
2. The services are written using a variety of languages, frameworks, and framework versions.
3. Each service consists of multiple service instances for throughput and availability.
4. Service must be independently deployable and scalable. 
5. Service instances need to be isolated from one another.

Regardless of the serverless model considered and growing awareness of securing the ecosystem, breaches continue to occur. This is primarily causing extensive adoption of serverless frameworks across the cloud and also incrementally widens the attack surface. Even though multiple security vendors are working to address the problem, the DevSecOps team needs to secure and ensure the serverless environment is not compromised.

Key Security Considerations with Serverless

Besides having decade-old injection-based vulnerabilities, OWASP related issues with applications, and over-privileged functional permission sets and roles, there are other sophisticated challenges that organizations face with serverless deployments. It profoundly requires a fundamental shift in how organizations look at application security.

With multiple serverless frameworks and deployment models available across cloud platforms, there are a plethora of configuration settings that allow subscribers to customize their environment to specific requirements. There have been multiple instances identified wherein, misconfigurations across cloud storage, web application firewall, network policies, segregation of trust zones, etc. are exploited to introduce vulnerabilities into the serverless ecosystem.

The key challenges which organizations face emerge due to decentralized view of serverless especially via deployment settings – per function-related permissions, lack of comprehensive secrets and key management lifecycle plan, and inadequate visibility due to lack of security events logging and monitoring.

Some of the other key challenges which we have remediated include:

1. Cyber attacks and data breaches involving poorly secured application programming interfaces (APIs) are occurring frequently. 
2. Protecting web APIs with general-purpose application security coding practices alone continues to be ineffective. Each new API represents an additional and potentially unique attack vector into your systems – and how the ingress/egress traffic flows from an architecture standpoint is crucial.
3. Application threat protection technologies are making progress but aren’t fully mature yet. They lack in areas, including automated discovery and API classification.
4. Modern application architecture trends — including mobile access, microservice design patterns, and hybrid on-premises/cloud usage — complicate security aspects since there is rarely a single “gateway” point at which protection can be enforced.

Securing the Workflows (Key Recommendations)

The following items illustrate the key actionable steps which we recommend organizations to focus on at minimum:

1. Discover your APIs before attackers discover them by analyzing mobile and web applications. You cannot secure what you cannot find or categorize. Quantify the threats by uncovering hidden APIs and documenting API usage.
2. Use a combination of API management and web application firewalls to protect the serverless environment, in conjunction with identity infrastructure. When these do not provide sufficient protection for the serverless environment and associated third-party APIs you have categorized as high risk, add another layer of security products/platforms to get visibility.
3. Adopt a continuous approach to security across the development and delivery cycle, designing security into the code. Include API security testing and the creation and application of reusable API security policies.
4. Use a distributed enforcement model to protect APIs across your entire architecture, not just at the perimeter.

We at WeSecureApp enforce the Prevention, Detection, and Mitigation (PDM) principle wherein, we emphasize organizations to conduct a threat modeling exercise and identify all the serverless workflows in place, before conforming to the following:

• Prevention: Assessing all the serverless environments for vulnerability analysis and understand what security controls to be put in the software and system security development lifecycle to prevent unnecessary exposures and hardening of the environment – from being unauthenticated, unauthorized access to non-compliant configurations.
• Detection: How fast can we know what kind of attack is in place or has been active within an environment. What APIs, version, application, and credentials are affected, and the level of impact.
• Mitigation: Once the attack is detected, how can it be remediated (auto-remediation vs enabling manual triggers), how fast it can be analyzed and patterned to be used as an input to the responsive security model.

There are many ways to get started depending on the needs, priorities, and maturity of a program, however, we have listed some of the must-haves to consider during the journey to secure the serverless ecosystem:

1. Secure SDLC – Security controls need to be integrated and automated into the software development lifecycle and require automation to reach the desired efficiency
2. Software Defects – Remediation of security defects across the application lifecycle is an on-going issue that requires continuous monitoring and automation
3. Continuous Monitoring – Given the reliance on applications to keep operations running, security in the development process cannot be an afterthought
4. Vulnerability Remediation – The need to remediate vulnerabilities identified at both scale and speed is critical to the success of a shift left security testing integration as a full-cycle 360 view program.