Serverless software is one of the most innovative modern software development trends. Serverless architectures allow your team to focus on what matters by taking back-end server management off of your hands. Platform architectures such as Akka Serverless put your focus entirely on end-user experience, minimizing overhead and heightening client satisfaction.
However, the shift in responsibility means that your current security best practices need some adjustment. Because someone else will manage the physical servers where you store your data, a security refresher in traditional vs. serverless is necessary. Here are six serverless security best practices to live by as you make the transition.
Automate vulnerability scanning and tracking
Not solving vulnerabilities leaves your vital systems open to attack, including your serverless functions. Hackers will shift their focus to vulnerabilities in your serverless code, configuration, and software supply chain.
A continuous security validation and mitigation process offers insight into building and configuring resilient software. It’ll also help you secure the CICD pipeline against known code and configuration vulnerabilities.
Rely on more than WAF protection
A Wireless Application Firewall (WAF) only inspects HTTP traffic, so it will not protect against API Gateway-triggered functions or other event trigger types. Plus, WAF does not help when functions come from event sources like stream data processing or notifications.
Having WAF protection is still critical. But it should not be your only line of defense for serverless applications. Incorporate several layers of redundancy into your security practices for best results.
Create suitable but minimal roles for each function
Serverless architecture has the potential to increase the resources that act and receive action. Try adopting a single role for each function to prevent providing hundreds of permissions in each direction. Attackers can leverage these excessive permissions into vulnerabilities.
Instead, create IAM policies following the Least Privilege Principle. For instance, a function for reading items in a DynamoDB table should have read access and nothing more.
Manage application dependencies
Managing the traditional patch is not relevant for serverless instances. But you should ensure that dependencies in your application are up-to-date and secure. Leverage tools that automate the checking process of dependencies to safeguard against relying on vulnerable components.
Some applications leverage licensed components or third-party services. Create a security questionnaire to ensure the resources meet requisite security requirements and run auditing and reviewing of the security status regularly.
Secure the software development lifecycle
Your Software Development Lifecycle (SDLC) defines building an application, managing it through the lifecycle, and streamlining the development process. However, insecure applications pose enormous business risks. These vulnerable apps can lead to loss of personal data and irreparable damage to business reputation.
Unfortunately, security-related activities are often carried out in the testing phase, which is further on in the SDLC. This process is flawed, as it multiplies your business risks and costs by up to six times more than identifying a bug during the design phase.
Integrating security during development guarantees authorizations ensures proper working of the serverless application. It also involves continuously reviewing conditions for weakness and making sure the application integrates with security practices.
Time out functions
Setting a tight runtime profile for your functions is vital, but keep in mind that setting appropriate serverless function timeouts might not be intuitive. Maximum durations depend on the specific function.
Consider configuring the timeout expectation versus the actual timeout. Developers usually set timeout to the maximum allowable since unused time does not add extra baggage. But it can be an enormous security risk when an attacker injects the code.
The attacker has more time to do their damage. A shorter time requires more attacks, which makes an attack even more visible. Consider shrinking what a function does and how long it runs as a serverless security best practice.
These serverless security best practices will help establish a sturdy, secure foundation for your applications and can be leveraged as part of your more extensive security program.
These practices reflect a need to blend traditional tools and methods with new controls and processes. Safety measures like these are requirements for creating a robust security program for your new serverless setup.