OWASP SERVERLESS TOP 10

Best practices for securing serverless functions

• Serverless functions have dependencies that can introduce vulnerabilities
• Cloud providers offer some security measures but it's important to scan for vulnerabilities in your own code and dependencies
• Logging and monitoring are important but require automation to be effective
• Permissions and authentication are crucial for securing serverless functions
• Stateless nature of serverless functions makes authentication challenging

If a function has permission to a service, it can access that service and potentially steal data. Even if a bucket is secured to only allow access to certain users, if another function has permission to that bucket and there is a vulnerability, unauthenticated data can still be uploaded and run in a Lambda function.

When adopting serverless technology, we eliminate the need to develop a server to manage our application and by doing so, we also pass some of the security threats to the infrastructure provider. However, serverless functions, even without provisioning or managing servers, still execute code. If this code is written in an insecure manner, it can still be vulnerable to traditional application-level attacks. The OWASP Serverless Top 10 project recently launched. In this talk, I will examine how the original Top 10 stack up for serverless apps. In particular, we’ll examine the differences in attack vectors, security weaknesses, and the business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. As we will see, attack vectors and prevention techniques are completely different from the traditional application world.