Serverless Security

Serverless Security

by Guy Podjarny, Liran Tal
Released November 2019
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781492082521

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Serverless is taking the cloud native world by storm. This new approach promises extraordinary value, from increased developer productivity to dramatic cost savings. In some aspects, serverless also boasts significant security advantages compared to the server model. But as this practical report explains, securing serverless still requires diligence from the developers and application security professionals involved in the process.

Guy Podjarny and Liran Tal from Snyk examine the significant benefits that serverless brings to application security, as well as the considerable risks involved when you configure a serverless system. You’ll also learn a platform-agnostic security model known as CLAD that will help you address Code vulnerabilities, Library vulnerabilities, Access and permissions, and Data security.

This report helps you:

  • Understand what serverless is and how this model evolved from cloud native processes
  • Explore the three primary areas where serverless improves security
  • Learn how the CLAD model provides four categories to help you home in on specific security issues
  • Follow a detailed example that demonstrates how poor security manifests in real-world serverless applications

Table of contents

  1. 1. Introduction to Serverless and Cloud Native
    1. The Evolution of Cloud Native
      1. From Hardware to Cloud
      2. Containers
      3. Container Orchestration
      4. Serverless
  2. 2. Introduction to Serverless Security
    1. Patching Operating System Dependencies
    2. Surviving Denial of Service Attacks
    3. No More Long-Lived Compromised Servers
  3. 3. CLAD Model for Serverless Security
    1. Code Vulnerabilities
      1. Injection Flaws
      2. Treat Every Function as a Perimeter
      3. Summary of Injection Flaws
    2. Library Vulnerabilities
      1. What’s a Known Vulnerability?
      2. The Hidden Burden of Using Third-Party Libraries
      3. Securing Vulnerable Libraries at Scale
      4. Proactively Apply Security Fixes
      5. Know Your Inventory
      6. Eliminate Vulnerabilities Before Functions Are Deployed
      7. Don’t Let Deployed Functions Lag Behind
      8. Controls to Minimize Library Vulnerabilities
      9. Summary of Library Vulnerabilities
    3. Access and Permissions
      1. Least-Privilege Principle
      2. Isolate Functions
      3. Controls to Minimize Insecure Access and Permissions
      4. Summary of Access and Permissions
    4. Data Security
      1. Secure and Verify Data in Transit
      2. Manage Function Secrets in Secure Storage
      3. Rotate Keys and Credentials Regularly
      4. Function Information Exposure
      5. Controls to Mitigate Sensitive Data Exposure
      6. Summary of Data Security
  4. 4. Securing a Sample Application
    1. Project Setup
      1. Setting Up an Azure Functions Account
      2. Deploying the Project
    2. Code Injection Through Library Vulnerabilities
      1. The Severity of Third-Party Library Vulnerabilities
    3. Deploying Mixed-Ownership Serverless Functions
    4. Circumventing Function Invocation Access
    5. Summary of the Sample Application
  5. 5. Summary

Product information

  • Title: Serverless Security
  • Author(s): Guy Podjarny, Liran Tal
  • Release date: November 2019
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492082521