Chapter 3. CLAD Model for Serverless Security

Although serverless helps security, this doesn’t mean that serverless apps are impenetrable. Various security risks remain, and some are worsened due to the way serverless applications are built.

These unique security concerns are important for two reasons:

• They represent the areas you should focus on when building a security plan for serverless-based applications.

• They are the areas attackers will target because the odds are greater that application owners will make security mistakes than the cloud platforms will prove to be insecure.

To help capture specific security areas and issues, we created the CLAD model for serverless security. This model captures the four security categories that apply to serverless and should always be addressed when writing functions. These four categories:

Code vulnerabilities

When building and deploying a function, security vulnerabilities can be introduced in the code that you write for the function.

Library vulnerabilities

Security vulnerabilities introduced by the use of third-party libraries or dependencies by a function in order to avoid “reinventing the wheel” as much as possible.

Access and permissions

Define resource permissions that the function needs to execute and access in order to work properly.

Data security

Your function might need to access data persistency resources, or transactions, which means that you need to ensure data security, as well.

Let’s further review how each ...