We have heard the benefits of why companies are moving to serverless– zero administration, automatic scaling, and pay-for-use consumption modes. But where and how does security play a role in serverless computing services, how has it evolved, and what considerations should be put into place to address these differences?
When deploying serverless computing services, it is critical to first understand the shared responsibility model as it relates to serverless computing services. For instance, the application owner still owns the responsibility of securing the application itself, including the data and access controls, and the cloud provider has responsibility for securing the operating systems hosting those applications. As a reference, please refer to the shared responsibility model diagram provided by AWS in a recent webinar:
There is a distinct delineation in responsibilities amongst the cloud provider and the customer, and it is important to understand the attack vectors to ensure secure serverless computing deployments for the areas within your responsibility. Risks can come from various forms like over permissioned functions, long function timeouts, the number of functions and their complexity, deficient testing in development and lack of monitoring during runtime. To summarize some of those risks, here is a list of serverless computing security risks identified in the OWASP Serverless Top 10:
There is a lot here to consider, and while developers are responsible for the code they produce, it is important to outline some serverless computing best practice tips to consider to enhance serverless security.
Serverless computing is an excellent solution for organizations, and the security challenges are no different than with traditional AppSec, they just need a different perspective on how they are addressed. For more information, check out this article on AWS Lambda Security Best Practices.