Chapter 2. Introduction to Serverless Security
At its core, serverless moves significant responsibilities from the application owner to the platform, including some important security responsibilities. The platforms, in turn, tend to be pretty good at handling these infrastructure-related security concerns, given that it’s their core competency! More precisely, they tend to be better at it than a typical application owner.
And so, the end result is a positive one—serverless naturally improves security, by moving certain security concerns to be handled by the platform pros. Let’s now review three primary areas in which serverless makes security easier—or rather, better.
Patching Operating System Dependencies
Operating systems are extensible entities, allowing users to install utilities and binaries in a variety of ways. Examples vary greatly, from installing a Secure Shell (SSH) client via apt on an Ubuntu machine, through downloading a cURL binary manually to your Red Hat server, to installing a full database via a dedicated installer on a Windows machine. These components are in turn used by the applications or systems administrators and are referred to as operating system (OS) dependencies.
OS dependencies offer great functionality, but they need some tender love and care. Over time, maintainers, researchers, and attackers discover security flaws in these dependencies, which are also known as vulnerabilities. These security holes are then fixed (more often than not), and a ...