Chapter 2. Introduction to Serverless Security

At its core, serverless moves significant responsibilities from the application owner to the platform, including some important security responsibilities. The platforms, in turn, tend to be pretty good at handling these infrastructure-related security concerns, given that it’s their core competency! More precisely, they tend to be better at it than a typical application owner.

And so, the end result is a positive one—serverless naturally improves security, by moving certain security concerns to be handled by the platform pros. Let’s now review three primary areas in which serverless makes security easier—or rather, better.

Patching Operating System Dependencies

Operating systems are extensible entities, allowing users to install utilities and binaries in a variety of ways. Examples vary greatly, from installing a Secure Shell (SSH) client via apt on an Ubuntu machine, through downloading a cURL binary manually to your Red Hat server, to installing a full database via a dedicated installer on a Windows machine. These components are in turn used by the applications or systems administrators and are referred to as operating system (OS) dependencies.

OS dependencies offer great functionality, but they need some tender love and care. Over time, maintainers, researchers, and attackers discover security flaws in these dependencies, which are also known as vulnerabilities. These security holes are then fixed (more often than not), and a ...

Get Serverless Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.