Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Five Application Security Best Practices for Serverless Applications
Serverless architecture enables applications to be developed and deployed without management of the underlying host or operating system. Instead of a traditional host, serverless applications run on abstract serverless platforms which are managed by cloud providers. This architecture offers advantages over other architectures, such as scalability, but also has its own unique security risks. The following best practices will help ensure these applications are properly secured:
Proper authentication and authorization controls ensure that functionality and resources are protected against unauthorized access. Serverless applications are decentralized, so it’s important to ensure that each application or service is making the proper checks. If applications are accessed from multiple sources such as mobile apps or web browsers, it can result in redundant checks and additional complexity which may use different authentication mechanisms as shown below:
A common solution to this issue is the use of an API gateway, which manages authentication and authorization for the serverless applications behind it. Each request to a serverless application will first be validated by the gateway. Validated requests, including relevant authorization information, will be sent to backend applications for processing, while unauthenticated or unauthorized requests will be rejected by the gateway.
The rule of least privilege limits the risk to data and systems in case of a compromised application. Applications commonly access resources such as databases, file storage, and external systems and applications. Restrict application permissions and access (including network access) to the minimum required for the application, and monitor unauthorized requests for resources.
Serverless applications by nature are closely integrated to the cloud as a platform. This allows access to cloud provider security controls which should be used when possible. Cloud providers often offer functionality such as secret management, resource permission policies, and logging. This functionality takes advantage of integration with the platform and reduces the friction of using security controls.
Traditional patch management is not relevant for serverless application instances. However, it is important to ensure that any dependencies used by the application are secure and up to date. Take advantage of tools that automate the process of checking these dependencies to ensure applications are not using vulnerable components.
If an application leverages third-party services or licensed components, use a security questionnaire to ensure these resources meet necessary security requirements. Audit and review security status on a scheduled basis.
Application vulnerabilities identified after release are costly to remediate. It’s vital that applications are developed with a secure software development life cycle (SDLC). A secure SDLC integrates security into all phases of the lifecycle through processes such as design review, automated static and dynamic testing tools, and manual security testing.
These best practices establish a strong security baseline for serverless applications, which can be leveraged as part of a larger application security program. Together, they reflect the need for a blend of traditional methods and tools, as well as new processes and controls. This is a requirement of a robust cloud application security program, of which serverless applications are just a part.
Let us know what you need, and we will have an Optiv professional contact you shortly.