Chapter 5. Summary
Serverless architecture and Functions as a Service introduce new paradigms for application development, one of which is security and its impact, for better and worse, on serverless applications. Although serverless moves some of the responsibility to the platform’s responsibility, this new paradigm requires us to adopt security practices that are adequate to this technological shift and zoom in on the areas of security concerns that are solely our responsibility.
As the growth of adoption increase for the cloud-native world and serverless architecture in specific, new tools, services and patterns emerge for which we need to address security concerns.
In this book, we provided a technology-agnostic security model that will serve useful as this technological space matures. We reviewed the following recommended security model for dealing with serverless functions security presented as a set of CLAD categories:
-
Code vulnerabilities
-
Libraries vulnerabilities
-
Access and permissions
-
Data security and privacy
Code vulnerabilities accounts for the risk of introducing these in your own application or function’s code and it complements library vulnerabilities, which you risk by introducing third-party dependencies that your serverless application uses and might be found vulnerable. Whereas serverless takes a lot of the responsibility from the application owner, such as managing the actual underlying servers, it still requires a fair bit of configuration—this can often lead to misconfigured access and permissions that results in flawed security controls and further risks serverless applications. Finally, data security and privacy concerns are important for functions due to their extremely stateless circumstances and require the application owner to ensure sensitive data is treated in a secure manner.
To conclude, each of these four security categories is highly relevant for serverless applications because they easily become a target for attackers to focus on, and as the application owner, you should ensure you are building a plan to address security concerns in each category.