As serverless adoption is beginning to grow and become
widespread in the organization, our enterprise clients are
faced with some key questions from management: “Great,
we see all the benefits of serverless, but how do we make
sure we implement it securely?”; “How do we maintain our
security posture?”; and “How do we maintain
compliance?!”
Our intent in this white paper is to guide you in thinking
about securing your serverless applications and services —
to show you what has changed, what is more complicated,
what has remained the same and what has become much
simpler. Ultimately, we will show you how we build a struc-
tured methodology to secure serverless applications.
Lions and Tigers and Bears … Oh My
The Open Web Application Security Project (OWASP) lists
the Top 10 Risks for serverless. These should not be con-
sidered the only potential risks, but for the purposes of this
paper, the list serves as a good foundation to make our case.
The Top 10 Risks to Serverless Architecture, enumerated
by OWASP:
• A1:2017 Injection
• A2:2017 Broken Authentication
• A3:2017 Sensitive Data Exposure
• A4:2017 XML External Entities (XXE)
• A5:2017 Broken Access Control
• A6:2017 Security Misconfiguration
• A7:2017 Cross-Site Scripting (XSS)
• A8:2017 Insecure Deserialization
• A9:2017 Using Components with Known
Vulnerabilities
• A10:2017 Insufficient Logging and Monitoring
As you can see, the risks in this list are not unique to server-
less technologies. They almost exactly overlap with the
standard (“classic”) OWASP Top 10 Risks. However, server-
76 | THE DOPPLER |
SUMMER 2019
less applications have an increased attack surface, due to a
much larger set of input sources.
An alternative Top 12 list developed by PureSec and pub-
lished as Cloud Security Alliance (CSA) guidance, calls out
risks that align with OWASP but are more specific to
serverless:
• SAS-1: Function Event Data Injection
• SAS-2: Broken Authentication
• SAS-3: Insecure Serverless Deployment
Configuration
• SAS-4: Over-Privileged Function Permissions and
Roles
• SAS-5: Inadequate Function Monitoring and Logging
• SAS-6: Insecure Third-Party Dependencies
• SAS-7: Insecure Application Secrets Storage
• SAS-8: Denial of Service and Financial Resource
Exhaustion
• SAS-9: Serverless Business Logic Manipulation
• SAS-10: Improper Exception Handling and Verbose
Error Messages
• SAS-11: Obsolete Functions, Cloud Resources and
Event Triggers
• SAS-12: Cross-Execution Data Persistency
All these risks, as scary as they sound, are avoidable, with a
structured way to identify and track the threat landscape,
and proven mitigation methods. The threats themselves
have not changed much; they are merely variations based
on a theme that spans both classic enterprise and server-
less architectures. So, how do you create a structured
approach to addressing your serverless environment?
Hopefully, the same way you secure everything else — by
using a proven security model.
Response to Our Clients’ Needs
Our approach, in responding to client and technology
needs, is to build a serverless cloud security model. This
model considers: the top 10 critical risks to serverless archi-