Severe truth about serverless security and ways to mitigate major risks
- Cloud providers may secure your databases, operating systems, virtual machines, the network, and other cloud components, but you must still protect your application layer (code, business logic, data and cloud service configurations) against cyber attacks.
- Traditional web application firewalls only protect functions called through an API gateway. So, apply perimeter security to each function, incorporate whitelist validation, monitor updates to functions, and add runtime defense solutions.
- Be wary of third-party dependencies. Derive components from reliable official sources via secure links. For Node.js applications, use package locks or NPM shrinkwrap to restrict updates to code until you review them. Identify and fix vulnerabilities with automated dependency scanners.
- Ensure all credentials that invoke third-party services or cross-account integrations are temporary or encrypted and use a cryptographic key management solution. Set strict constraints on input/output messages passing through the API gateway.
- Address the downside of autoscaling, DoW (denial of wallet) attacks: set budget limits with alarms, limit the number of API requests in a given time window, use DDOS protection tools, and try to make API gateways internal and private.
Full post here, 7 mins read