Understand CNAPPs with Our Guide
Learn the key benefits and integration tips for Cloud-Native Application Protection Platforms. Enhance your cloud security strategy.
Download the Guide Now
Understand CNAPPs with Our Guide
Learn the key benefits and integration tips for Cloud-Native Application Protection Platforms. Enhance your cloud security strategy.
Download the Guide Now
What are Serverless Security Best Practices?
Serverless computing involves the dynamic, on-demand allocation and provisioning of application infrastructure, such as computing power or storage resources. It allows DevOps teams to focus on application delivery, abstracting infrastructure concerns and offloading them to cloud providers. Serverless architectures can include functions that run discrete bits of code or temporary databases used by a short-lived development branch.
Serverless resources bring a dynamic and distributed approach to computing, and this, in turn, introduces unique security demands requiring a unique approach.
In this article, we’ll cover four best practices for addressing common security issues associated with serverless architecture. Adopting these best practices will help your organization maintain a strong and robust security posture.
Expert Tip
The cloud is a term used to describe servers — as well as any associated services, software applications, databases, containers and workloads — that are accessed remotely via the internet. Cloud environments are typically divided into two categories: a private cloud, which is a cloud environment used exclusively by one customer; or a public cloud, which is an environment that is shared by more than one user.
Best practice #1: follow the principle of least privilege
When constructing permissions for serverless resources, it's essential to understand the concept of “least privilege.” Using overly broad permissions for a serverless function can introduce the risk of unauthorized access vulnerabilities if a malicious actor compromises a resource. To mitigate this risk, limit the access rights of all resources to the minimum required to complete their tasks — and nothing else.
Use role-based access control
Role-based access control (RBAC) defines roles that have permissions to access resources. Then, users or groups are subsequently assigned those roles only when needed. This approach ensures organizations have fine-grained and scalable access. RBAC is a safer approach than assigning permissions directly to individual users. RBAC makes reviewing roles easier as you can confine commonly accessed resources into reusable roles for applications, users, or groups.
Regular permission audits and adjustments
It is essential to review and audit permissions and roles regularly so they are fit for purpose, particularly while the underlying applications change. Neglecting these audits and adjustments can lead to permissions sprawl for services and resources, potentially opening up a security vulnerability in breached applications.
Expert Tip
According to this model, the CSP, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure (Azure), is responsible for managing and protecting the underlying hardware security. However, customers are expected to enable security at the infrastructure and application layer. This includes all tools, technologies, policies and methods meant to protect the organization’s data and other cloud-based assets.
Best practice #2: implement robust monitoring and logging
Serverless environments involve rapid and often transient deployments. To be effective in such environments, consider the following in your security monitoring approach.
Detailed function logging
Detailed logging can provide visibility into serverless function behavior at runtime, detecting potential threats or breaches from unintended behavior or execution of the functions earlier. To achieve sufficient logging capabilities for serverless functions, use serverless-optimized logging tools to process and output your functions' logs. These optimized modules provide detailed execution log outputs, including correlation IDs, timestamps, and diagnostic data.
Monitoring logs and alerting
While your application's functions output detailed logs, be aware of unusual activity or patterns in your functions, and then work swiftly to triage potential issues. Anomalous activities appear as outliers in execution time, consumed memory, or runtime errors. For teams, monitoring these outliers in API access routes, data sources, or request volumes can be vital for identifying unexpected code output or bad actors probing a serverless system for vulnerabilities.
Use a centralized log management and monitoring system to correlate activity across your distributed systems and serverless functions. Robust and modern solutions have built-in alerting capabilities, enabling teams to take remediation action swiftly.
Secure log storage and review
Ensure logs are transmitted securely from your applications to their locations for processing and storage. Log storage must also be secure. Regularly review these stored logs for insights and trends to spot vulnerabilities or attacks against your applications.
Best practice #3: adopt secure coding practices
It is common for serverless functions to integrate third-party modules and services. As your application code depends on an increasing number of third-party modules, the surface area for vulnerabilities also increases in size. Therefore, when developing serverless applications in this environment, develop your functions with security in mind. Mitigate common risks by implementing reviewing and scanning processes to eliminate insecure code.
Validate inputs
When handling inputs in serverless functions, sanitize all inputs into serverless functions or any data fetched from external sources, such as third-party APIs. This sanitization prevents code injection threats, such as sending unintentional code or malicious packets.
Review process
As noted above, serverless applications typically integrate third-party modules. Maintainers regularly update these modules with security patches to prevent introducing vulnerabilities into the function. Be sure to update your third-party dependencies regularly. Updates must include the application runtime (such as Java, Python, or Node.js) to a currently maintained version.
While reviewing an application's dependencies, also regularly review for security gaps to remove currently identified and known vulnerabilities. This process can be completed manually on a schedule or through automated security scanning tools to reduce this workload. Automation can create and recommend safe version upgrades or security fixes in code.
Shift-left security
When integrating security checks into any development process, consider a shift-left approach to integrate the check earlier in the development cycle, such as at the design or project initialization phase. This process saves development time by identifying potential security issues before a project's final test or release phase.
Best practice #4: strengthen network security
Distributed applications, which may be deployed via serverless functions, often require communication with external services. This increases the potential attack points, especially if communication between clients and external services is not secured. Therefore, you should secure the data flows between serverless functions and external services to prevent interception or tampering with the data flow.
Encryption protocols
Developers must implement encrypted protocols to secure communication whenever a serverless function communicates with external APIs and services. Along with HTTPS, these protocols would include TLS for non-HTTP connections, effectively mitigating adversary-in-the-middle attacks and preventing data from being sent in plain text over the network.
API gateways
Suppose there are serverless functions that expose APIs that third parties are interested in calling. In that case, employ an API gateway solution to better manage your APIs, thereby improving your security posture. The gateway sits between clients calling your APIs and your backend serverless function. This centralization ensures that security policies and requirements (such as application authentication or access control policies for API resources) will be enforced uniformly across all services.
Restricting network access
It’s not uncommon for organizations to run their serverless functions in the public cloud. If this is your organization, then it's critical to restrict network access to defined routes from trusted sources and services only. This is another layer of security for applications, blocking access to anyone not in your networking environment before the data reaches the application.
CrowdStrike and serverless security
Serverless functions offer teams agility in development processes and scaling to demand dynamically. However, this approach comes with the need to prioritize fixing the riskiest vulnerabilities.
Secure coding practices and least-privilege access significantly reduce the introduction of vulnerabilities into serverless environments. Establish a clear audit trail for robust application monitoring and logging. These controls are part of the holistic approach to serverless security — from the development phase to application runtime.
To implement, review, and keep up with best practices in this fast-changing technology environment, opt for a platform that incorporates all these features and more. The CrowdStrike Falcon® platform provides teams with comprehensive all-in-one solutions for protecting your cloud environments, including serverless functions.
Contact us for more information, or sign up for a free 15-day trial of the Falcon platform to learn more.
