Google Cloud Functions Security

Serverless technologies, such as Google Cloud Functions, can decrease cost and increase deployment velocity, while alleviating the burdens of infrastructure management. However, as a new application development method, new security and compliance requirements arise which are enhanced through a dedicated approach.

In addition to a dedicated serverless security solution, there are many best practices your organization can employ to reduce your attack surface and tackle Google Cloud Security issues.

Google Cloud Functions

Secure Application Dependencies

Google Cloud Functions often include dependencies brought in from repositories such as npm (Node.js), PyPI (Python), Maven (Java). Securing application dependencies is crucial. Access to a good database and automated tools are vital components of cloud functions security.

Make Securing Google Cloud Functions Everyone’s Problem

The traditional AppSec approach takes time and can slow things down, negating the serverless benefit of rapid feature deployment. Developers can’t possibly keep up with the hyper-accelerated velocity they themselves created if they need to wait on security to open ports, IAM roles, or security groups for them. While security pros don’t want to get in the way of the developers, they still need the ability to control policy and visibility.

The Shared Responsibility Model of DevSecOps

The solution is to make it everyone’s problem by creating cross-functional teams. Forge close partnerships and achieve tight integration between developers, DevOps, and AppSec. Find the balance where developers don’t own security, but they aren’t absolved from responsibility either. Collaborate and get security into your CI/CD pipeline so you can resolve security risks at the speed of serverless.

Observe Serverless Application Behavior and Detect Attacks

Discovering and visualizing the behavior and flow of your Google compute engine can be challenging. Serverless infrastructure is comprised of code, and runtime environment, all interacting to generate billions of data points. It is important to understand normal application and function behavior in order to detect and stop application layer attacks such as the Serverless OWASP Top 10. Effectively and promptly detecting attacks requires continuous monitoring to compile application signals and generate information that’s more useful than 10,000 anomalies.

New Google Cloud Functions Security Issues Include Targets for Building Botnets

As shown in a video and detailed in a report, we built a prototype serverless botnet on Google compute engine platform. However, this sort of attack can be carried out in more or less the same way on all private and public cloud infrastructures. The goal of this prototype is to demonstrate the viability of this approach and explore design choices that attackers might make. These insights help drive development for securing google cloud functions.

Serverless Security Made Simple Presentation

Serverless Security Made Simple Presentation

Google Cloud Next 2019

In a world filled with security breaches making the front page of newspapers, how do you balance the velocity gains of serverless without compromising application security? In this talk, we’ll discuss common serverless threat models, as well as how you can use the tools provided in Google Cloud to secure your applications. We’ll dive deep on best practices for creating IP-based firewall rules, as well as how to configure Cloud IAM for least privilege access. We’ll also talk about all the work GCP automatically does for you to keep your app secure. Watch now.

Automate Google Cloud Function Security with Protego

Automate Google Cloud Function Security with Protego

The Protego Serverless Security Platform automates serverless application security from development to runtime. Protego Proact integrates into existing CI/CD processes to save developers & DevSecOps time by automating application hardening. Protego analyzes function code, detects configuration risks, and automatically generates least-privilege function permissions. Additionally, Protego continually scans functions for known vulnerabilities and embedded secrets, ensuring your applications are not exposed to attacks.

Protego Defend, provides seamless runtime application security. Utilizing deep learning algorithms, Protego builds a model of normal application and function behavior, including automatic creation of a white list of actions on a resource level. Protego’s Function Self Protection detects, alerts, and stops application layer attacks such as the Serverless OWASP Top 10.

Sign-up for Google Cloud Function Security Beta

Protego is currently accepting registrants into the Google Cloud Function beta program. The Protego Platform is generally available for AWS, and also accepting registrations to the Microsoft Azure Functions beta program. Sign up for our beta program, and email updates to learn about new releases, as well as best practices you can apply today for Google Cloud Functions security.

Google Cloud
Serverless Security

Top 6 Serverless Security Challenges

Download our Serverless Security eBook and learn the top 6 security challenges along with solutions for mitigation. Subscribe to our email updates to continue learning about serverless security.