Serverless Security: Functions-as-a-Service (FaaS) - Challenges and Best Practices

Explore serverless security and Functions-as-a-Service (FaaS) in this 34-minute OWASP Foundation talk by Niels Tanis. Delve into the security benefits and challenges of serverless architectures, including Azure Functions, AWS Lambda, and Google Cloud Functions. Learn about the reduced infrastructure management, increased resilience to DoS attacks, and potential vulnerabilities in serverless applications. Examine the complex architecture and attack surface of FaaS, software supply chain concerns, and the importance of patching for vulnerabilities. Discover key security areas to focus on when developing serverless applications, including third-party library management, secret storage, data encryption, least privilege principles, and software supply chain automation. Gain insights into threat modeling, monitoring, and logging for serverless environments, and understand the balance between ease of creation and complexity in maintaining secure serverless applications.

Intro
What is Serverless? • Full abstraction of servers • Instant, scalable and event-driven • Pay-per-use . 'Cloud is an operating system Serverless is its native code!' (Erik Peterson, QCON)
Security benefits of Serverless • Servers are maintained by vendor . No server to be compromised? • 'Gone in 60 Milliseconds' - Rich Jones • Denial of Service is mitigated?
Attack Surface • App shattered across platform • Lot of complexity • Inner- and outer attack surface
Third Party Libraries • Simple Azure Function in C# - 10 lines . 50k lines for Azure Functions Host . 120k lines for Newtonsoft.JSON • Vulnerability found/published • Malicious/compromised package
Storing Secrets • Environment variables • Use platform vendor service . 'Secrets at Scale' - lan Haken of Netflix
Encryption of data • Protecting data in transit and at rest . Most vendors do 'transparent' encryption for data at rest. . Consider 'Client-Side Encryption' in transit
Least Privilege • Fit for purpose privileges • Review or audit them over time
Software Supply Chain • Automation is king! • Deployment as code • Separate different environments • Development
Conclusion • Easy to create! Hard to keep track! • Threat modelling . Compartmentalise • Monitoring and logging • Automate delivery and configuration