Serverless architectures are quickly becoming a major technology within the DevOps ecosystem. Every major cloud provider offers a serverless technology platform. Some are even expanding their serverless repertoire, with AWS adding Glue and Sagemaker, which provide serverless environments tailored to specific workloads.
This is for good reason. When serverless technology is deployed correctly, it can save money, time, and resources—all while allowing developers to focus on writing code rather than solving infrastructure issues.
That being said, there are some security concerns that you should be aware of before you decide to take the plunge into the world of serverless apps. Let’s explore them in this article.
What is Serverless Computing?
Simply put, serverless is the allocation of code execution to a cloud provider. Rather than provisioning the resources needed to execute your code, you identify triggers, the cloud provider allocates “warm” servers to your function(s), and executes them to a target destination—also determined by you. These serverless solutions provide asynchronous and synchronous interactions, and the languages and input/output options will be determined by the provider/solution that you choose to utilize.
In a lot of ways, serverless technology alleviates a lot of traditional security concerns. By eliminating on-premises infrastructure, your security protocols are put in the hands of your platform provider. This is good news, especially for smaller organizations, as companies like Amazon and Google take their security very seriously. It also means that age-old concerns like server patching, and Denial of Service become obsolete, as this is done by your provider as well.
That being said, there are still some serious security concerns to be aware of, the biggest of which is your code.
Depending on the language you use in your app, it is important to remember that libraries and packages are always prone to vulnerabilities, whether they are deployed manually or in a sandbox. Also, a lazy developer could leave your application open to traditional vulnerabilities like DDoS attacks, SQL injection, etc. It is important to utilize best practices in your code, even in a serverless environment. Static and dynamic security testing, input validation, and whitelisting should be favored whenever possible.
At Rest and Users
Databases are always vulnerable, and serverless technologies do not protect you from this. Users are your environment’s biggest risk, and leaked credentials, compromised developers, or any other means of database compromise will lead to a problem for your application and users. Make sure that sensitive data is encrypted, limit access to your databases, and limit functions that directly access your databases.
Security monitoring can also be difficult in serverless applications. Traditional security monitoring systems and/or agents don’t work in a serverless environment. Amazon has made some significant progress in this area with services like Amazon Guard Duty, but you should spend some significant time exploring logging solutions and ensure that your serverless environment is well-monitored.
Serverless technologies open a lot of benefits to many DevOps environments. The scalability, cost-effectiveness, and compatibility with existing cloud applications are all unparalleled. Despite those benefits, there are still very serious security concerns/practices to be aware of and deploy.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Serverless Comparison: Lambda vs. Azure vs. GCP vs. OpenWhisk
Serverless computing adoption is growing at exponential rates. As with...
DevSecOps in Practice
If you understand DevOps, you probably also intuitively understand Dev...
Squaring the Circle: Making CI/CD Fast and Secure
Today, most DevOps teams place priorities on software delivery speed a...
Securing Istio with Twistlock
This article is about Istio, a new service mesh management platform th...
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...