These capabilities are part of the controls required to address the Broken
Authentication risk, ranked number two in both the OWASP and PureSec lists of
top critical risks to serverless. We marked applicable controls to serverless as
white, in Figure 3.
Privilege Management Infrastructure
Identity Management
Domain Unique Identifier Federated IDM
Identity Provisioning Attribute Provisioning
Authorization Services
Policy Enforcement Policy Definition
Policy Management Principal Data Mgmt.
Resource Data Mgmt. XACML
Role Management Obligation
Out of the Box (OTB) Authorization
Authentication Services
SAML Token Risk Based
Authorization Multifactor
OTP Smart Card Password
Management
Biometrics Network
Authentication Simple Sign On
WS-Security Middleware
Authentication Identity
Verification
OTB
Authorization
Privilege Usage Management
Keystroke / Session Logging Password Vaulting
Privilege Usage Gateway Resource Protection
Hypervisor Compliance & Governance
Figure 3: Applicable capabilities in the Privilege
Management Infrastructure high-level capability
•
Impacted by the technology: Impacted describes the way required controls
are currently implemented, or how controls used for traditional classic applica-
tions do not function. We identified capabilities that are impacted by serverless
technology and marked those as orange, in Figure 4.
In the Threat and Vulnerability Management high-level capability, we find
under Threat Management that the Source Code Scanning low-level capability
has been “impacted.” Serverless fundamentally changes this capability. This may
seem obvious, but traditional static/dynamic code analysis is not suitable for
serverless applications.
Other types of scanning, such as dynamic application security testing (DAST),
only scans the HTTP interface, while static application security testing (SAST)
relies on data flow analysis, which would be too complex in serverless. Interactive
application security testing (IAST), as well, is not useful when using non-HTTP.
FALL 2019 | THE DOPPLER | 23