book

Serverless Security

by Guy Podjarny, Liran Tal

November 2019

Intermediate to advanced

63 pages

1h 21m

English

O'Reilly Media, Inc.

Read now

Unlock full access

The Evolution of Cloud NativeFrom Hardware to CloudContainersContainer OrchestrationServerless
Patching Operating System DependenciesSurviving Denial of Service AttacksNo More Long-Lived Compromised Servers
Code VulnerabilitiesInjection FlawsTreat Every Function as a PerimeterSummary of Injection FlawsLibrary VulnerabilitiesWhat’s a Known Vulnerability?The Hidden Burden of Using Third-Party LibrariesSecuring Vulnerable Libraries at ScaleProactively Apply Security FixesKnow Your InventoryEliminate Vulnerabilities Before Functions Are DeployedDon’t Let Deployed Functions Lag BehindControls to Minimize Library VulnerabilitiesSummary of Library VulnerabilitiesAccess and PermissionsLeast-Privilege PrincipleIsolate FunctionsControls to Minimize Insecure Access and PermissionsSummary of Access and PermissionsData SecuritySecure and Verify Data in TransitManage Function Secrets in Secure StorageRotate Keys and Credentials RegularlyFunction Information ExposureControls to Mitigate Sensitive Data ExposureSummary of Data Security
Project SetupSetting Up an Azure Functions AccountDeploying the ProjectCode Injection Through Library VulnerabilitiesThe Severity of Third-Party Library VulnerabilitiesDeploying Mixed-Ownership Serverless FunctionsCircumventing Function Invocation AccessSummary of the Sample Application

Overview

Serverless is taking the cloud native world by storm. This new approach promises extraordinary value, from increased developer productivity to dramatic cost savings. In some aspects, serverless also boasts significant security advantages compared to the server model. But as this practical report explains, securing serverless still requires diligence from the developers and application security professionals involved in the process.

Guy Podjarny and Liran Tal from Snyk examine the significant benefits that serverless brings to application security, as well as the considerable risks involved when you configure a serverless system. You’ll also learn a platform-agnostic security model known as CLAD that will help you address Code vulnerabilities, Library vulnerabilities, Access and permissions, and Data security.

This report helps you:

Understand what serverless is and how this model evolved from cloud native processes
Explore the three primary areas where serverless improves security
Learn how the CLAD model provides four categories to help you home in on specific security issues
Follow a detailed example that demonstrates how poor security manifests in real-world serverless applications