Skip to main content

Five Application Security Best Practices for Serverless Applications

April 25, 2018

Serverless architecture enables applications to be developed and deployed without management of the underlying host or operating system. Instead of a traditional host, serverless applications run on abstract serverless platforms which are managed by cloud providers. This architecture offers advantages over other architectures, such as scalability, but also has its own unique security risks. The following best practices will help ensure these applications are properly secured:

5 App Sec

1. Authentication and Authorization

Proper authentication and authorization controls ensure that functionality and resources are protected against unauthorized access. Serverless applications are decentralized, so it’s important to ensure that each application or service is making the proper checks. If applications are accessed from multiple sources such as mobile apps or web browsers, it can result in redundant checks and additional complexity which may use different authentication mechanisms as shown below:


A common solution to this issue is the use of an API gateway, which manages authentication and authorization for the serverless applications behind it. Each request to a serverless application will first be validated by the gateway. Validated requests, including relevant authorization information, will be sent to backend applications for processing, while unauthenticated or unauthorized requests will be rejected by the gateway.

Serverless 1

2. Least Privilege Permissions

The rule of least privilege limits the risk to data and systems in case of a compromised application. Applications commonly access resources such as databases, file storage, and external systems and applications. Restrict application permissions and access (including network access) to the minimum required for the application, and monitor unauthorized requests for resources. 

3. Cloud Native Controls

Serverless applications by nature are closely integrated to the cloud as a platform. This allows access to cloud provider security controls which should be used when possible. Cloud providers often offer functionality such as secret management, resource permission policies, and logging. This functionality takes advantage of integration with the platform and reduces the friction of using security controls. 

4. Manage Dependencies and Third-Party Services

Traditional patch management is not relevant for serverless application instances. However, it is important to ensure that any dependencies used by the application are secure and up to date. Take advantage of tools that automate the process of checking these dependencies to ensure applications are not using vulnerable components.

If an application leverages third-party services or licensed components, use a security questionnaire to ensure these resources meet necessary security requirements. Audit and review security status on a scheduled basis.

5. Secure Software Development Life Cycle

Application vulnerabilities identified after release are costly to remediate. It’s vital that applications are developed with a secure software development life cycle (SDLC). A secure SDLC integrates security into all phases of the lifecycle through processes such as design review, automated static and dynamic testing tools, and manual security testing.

These best practices establish a strong security baseline for serverless applications, which can be leveraged as part of a larger application security program. Together, they reflect the need for a blend of traditional methods and tools, as well as new processes and controls. This is a requirement of a robust cloud application security program, of which serverless applications are just a part.

    Kat Cummings

By: Kat Cummings

See More

Related Blogs

June 07, 2018

Quick Tips for Building an Effective AppSec Program – Part 3

This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of t...

See Details

May 10, 2018

Observations on Smoke Tests – Part 3

While attending one of our technology partner’s security training courses, the instructor presented on their product’s various features and capabiliti...

See Details

March 14, 2017

Secure SDLC Lessons Learned: #1 Application Catalog

Building an application catalog is a critical step towards maintaining governance over a secure SDLC program. The primary purposes of the catalog are ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.