As serverless adoption is beginning to grow and become
widespread in the organization, our enterprise clients are
faced with some key questions from management: “Great,
we see all the benefits of serverless, but how do we make
sure we implement it securely?”; “How do we maintain our
security posture?”; and “How do we maintain
compliance?!”
Our intent in this article is to guide you in thinking about
securing your serverless applications and services – to
show you what has changed, what is more complicated,
what has remained the same and what has become much
simpler. Ultimately, we will show you how we build a struc-
tured methodology to secure serverless applications.
Lions and Tigers and Bears… Oh My
The Open Web Application Security Project (OWASP) lists
the Top 10 Risks for serverless. These should not be con-
sidered the only potential risks, but for the purposes of this
paper, the list serves as a good foundation to make our case.
The Top 10 Risks to Serverless Architecture, enumerated
by OWASP:
• A1:2017 Injection
• A2:2017 Broken Authentication
• A3:2017 Sensitive Data Exposure
• A4:2017 XML External Entities (XXE)
• A5:2017 Broken Access Control
• A6:2017 Security Misconfiguration
• A7:2017 Cross-Site Scripting (XSS)
• A8:2017 Insecure Deserialization
• A9:2017 Using Components with Known
Vulnerabilities
• A10:2017 Insufficient Logging and Monitoring
As you can see, the risks in this list are not unique to server-
less technologies. They almost exactly overlap with the
standard (“classic”) OWASP Top 10 Risks. However, server-
20 | THE DOPPLER |
FALL 2019
less applications have an increased attack surface, due to a
much larger set of input sources.
An alternative Top 12 list developed by PureSec and pub-
lished as Cloud Security Alliance (CSA) guidance, calls out
risks that align with OWASP, but are more specific to
serverless:
• SAS-1: Function Event Data Injection
• SAS-2: Broken Authentication
• SAS-3: Insecure Serverless Deployment
Configuration
• SAS-4: Over-Privileged Function Permissions and
Roles
• SAS-5: Inadequate Function Monitoring and Logging
• SAS-6: Insecure Third-Party Dependencies
• SAS-7: Insecure Application Secrets Storage
• SAS-8: Denial of Service and Financial Resource
Exhaustion
• SAS-9: Serverless Business Logic Manipulation
• SAS-10: Improper Exception Handling and Verbose
Error Messages
• SAS-11: Obsolete Functions, Cloud Resources and
Event Triggers
• SAS-12: Cross-Execution Data Persistency
All these risks, as scary as they sound, are avoidable, with a
structured way to identify and track the threat landscape,
and proven mitigation methods. The threats themselves
have not changed much; they are merely variations based
on a theme that spans both classic enterprise and server-
less architectures. So, how do you create a structured
approach to addressing your serverless environment?
Hopefully, the same way you secure everything else – by
using a proven security model.
Response to Our Clients’ Needs
Our approach, in responding to client and technology
needs, is to build a serverless cloud security model. This
model considers: the top 10 critical risks to serverless archi-