Integrate Serverless Security for Runtime Apps Solution Engineer
The serverless paradigm offers solutions to application building and deployment without the challenges of infrastructure management. Organizations no longer need to perform capacity planning of any kind, like figuring out the necessary amounts of CPU, memory, disk, and database storage. A serverless offering from a cloud service provider handles these, ensuring rapid time-to-market. Product teams only need to focus on developing applications with the following characteristics:
- Stateless: serverless applications serve every user request from a new application instance. The application must be stateless in all respects. It can’t rely on any disk persistence or previously served in-memory values
- Ephemeral: serverless applications are not long-lived. An incoming request creates an application instance. Post-request handling destroys this
- Event-processing: events from other components in the ecosystem like HTTP requests, database entries, or inbound message notifications trigger serverless workflows. Often this is across the complete enterprise stack
As mentioned, Serverless providers have developed products to support diverse needs from web development to data analysis. They provide computing services like AWS Lambda, Google Cloud Functions, and Azure Functions. They also offer storage services like S3, DynamoDB, and routing services like application programming interface (API) gateways.
Application Security
Since organizations that predominately consume serverless architecture are no longer maintaining infrastructure, they need to adjust their focus from infrastructure security practices. This includes things like patch management, firewalls, and network security. But this doesn’t mean the applications are inherently safe on the serverless platform. Instead, the security focus shifts from infrastructure to application runtime protection.
Research by Cloud Security Alliance found that serverless architectures are prone to application code and configuration security risks. A typical serverless application consists of many deployed functions, with each function supporting a single feature. This is different from a web application having a single service offering many features. So, the surface area of attack on a serverless application is considerably more than a single web application.
Serverless architecture needs a novel approach to handling security. Effective serverless security focuses on the following practices:
- Access control: Cloud best practices use the principle of least privilege for executing serverless applications. This means providing the minimum required permissions to a function for accessing other services. For example, if an AWS Lambda function must access a DynamoDB table, we must make sure it can only perform the specific action the business logic requires.
- Secure coding: OWASP technology uses an agnostic practice of developing secure code.
- Vulnerability scanning: This periodically scans application code and configuration to determine any vulnerabilities in its dependencies or configuration.
- Behavior protection: This determines malicious events using application behavior mapping.
Trend Micro provides runtime application self-protection (RASP) as a solution for application behavior analysis and protection. In this article, we’ll see how to protect serverless applications by using RASP. To follow along, make sure you have access to Amazon Web Services (AWS).
Application Deployment
We are going to deploy the Serverless-Goat application provided by OWASP. The application consists of the following Lambda functions:
- Frontend: This function serves as a static HTML page as an application user interface.
- Convert: This function downloads an HTTP page using the curl command and uploads it to an S3 bucket.
First, log on to the AWS Management Console and access the Lambda dashboard. You can deploy the Lambda function by clicking Create Lambda.
Read More HERE