Security Consultant, Application Security
Kat Cummings is a security consultant for Optiv’s application security team. In this role she specializes in code review and cloud security.
Five Application Security Best Practices for Serverless Applications
Serverless architecture enables applications to be developed and deployed without management of the underlying host or operating system. Instead of a traditional host, serverless applications run on abstract serverless platforms which are managed by cloud providers. This architecture offers advantages over other architectures, such as scalability, but also has its own unique security risks. The following best practices will help ensure these applications are properly secured:
1. Authentication and Authorization
Proper authentication and authorization controls ensure that functionality and resources are protected against unauthorized access. Serverless applications are decentralized, so it’s important to ensure that each application or service is making the proper checks. If applications are accessed from multiple sources such as mobile apps or web browsers, it can result in redundant checks and additional complexity which may use different authentication mechanisms as shown below:
A common solution to this issue is the use of an API gateway, which manages authentication and authorization for the serverless applications behind it. Each request to a serverless application will first be validated by the gateway. Validated requests, including relevant authorization information, will be sent to backend applications for processing, while unauthenticated or unauthorized requests will be rejected by the gateway.
2. Least Privilege Permissions
The rule of least privilege limits the risk to data and systems in case of a compromised application. Applications commonly access resources such as databases, file storage, and external systems and applications. Restrict application permissions and access (including network access) to the minimum required for the application, and monitor unauthorized requests for resources.
3. Cloud Native Controls
Serverless applications by nature are closely integrated to the cloud as a platform. This allows access to cloud provider security controls which should be used when possible. Cloud providers often offer functionality such as secret management, resource permission policies, and logging. This functionality takes advantage of integration with the platform and reduces the friction of using security controls.
4. Manage Dependencies and Third-Party Services
Traditional patch management is not relevant for serverless application instances. However, it is important to ensure that any dependencies used by the application are secure and up to date. Take advantage of tools that automate the process of checking these dependencies to ensure applications are not using vulnerable components.
If an application leverages third-party services or licensed components, use a security questionnaire to ensure these resources meet necessary security requirements. Audit and review security status on a scheduled basis.
5. Secure Software Development Life Cycle
Application vulnerabilities identified after release are costly to remediate. It’s vital that applications are developed with a secure software development life cycle (SDLC). A secure SDLC integrates security into all phases of the lifecycle through processes such as design review, automated static and dynamic testing tools, and manual security testing.
These best practices establish a strong security baseline for serverless applications, which can be leveraged as part of a larger application security program. Together, they reflect the need for a blend of traditional methods and tools, as well as new processes and controls. This is a requirement of a robust cloud application security program, of which serverless applications are just a part.