Serverless Security Guides
Protecting Serverless Applications
Effective serverless security focuses on ensuring code integrity, tight permissions and behavioral analysis.
Access and permissions: Maintain least-privileged access for serverless functions and other services. For example, if an AWS Lambda function needs to access a DynamoDB table, make sure it can only perform the specific action the business logic requires.
Vulnerability scanning: Ensure code and infrastructure-as-code template integrity by regularly scanning for vulnerable third-party dependencies, configuration errors, and over-permissive roles.
Runtime protection: Use runtime protection to detect malicious event inputs and anomalous function behavior, and limit as necessary each function’s ability to access files, hosts, the internet and spawn child processes.
SOURCE: https://www.paloaltonetworks.com/cyberpedia/what-is-serverless-security
Organized in order of risk factor, with SAS-1 being the most critical, the list breaks down as the following:
SAS-1: Function Event Data Injection
SAS-2: Broken Authentication
SAS-3: Insecure Serverless Deployment Configuration
SAS-4: Over-Privileged Function Permissions & Roles
SAS-5: Inadequate Function Monitoring and Logging
SAS-6: Insecure Third-Party Dependencies
SAS-7: Insecure Application Secrets Storage
SAS-8: Denial of Service & Financial Resource Exhaustion
SAS-9: Serverless Business Logic Manipulation
SAS-10: Improper Exception Handling and Verbose Error Messages
SAS-11: Obsolete Functions, Cloud Resources and Event Triggers
SAS-12: Cross-Execution Data Persistency
SOURCE: https://cloudsecurityalliance.org/blog/2019/02/11/critical-risks-serverless-applications/