Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Serverless Security: Locking Down Your Apps with FunctionShield


I’ve written quite extensively aboutserverless security, and while you don’t need to be an expert on the matter, there are a number of common sense principles that every developer should know. Serverless infrastructures (specifically FaaS and managed services) certainly benefit from an increased security posture given that the cloud provider is handling things like software patching, network security, and to some extent, even DDoS mitigation . But at the end of the day, your application is only as secure as its weakest link, and with serverless, that pretty much always comes down to application layer security.

In this post we’re going to look at ways to mitigate some of these application layer security issues by using some simple strategies as well as a free tool called FunctionShield.

Who’s responsible for serverless security?

While there is nothing inherently new that’s specific to serverless when it comes to application security practices, there is a shift in terms of where security responsibility ultimately lies. Obviously, developers should implement proper programming practices by sanitizing all their inputs , handling errors correctly, and protecting sensitive user data with proper programmatic access controls. But with serverless, access and error logs are no longer automatically generated for you, which now puts this into the hands of the developer.

Even more scary, is how close serverless takes the developer to the execution environment. I’ve been using IAM roles since they were invented, and I still find myself consulting the docs from time to time to be sure I’m doing it correctly. Putting that responsibility on a developer often results in * privileges that could give attackers carte blanche access to your AWS environment.

We also train developers to be lazy (this isn’t a criticism), meaning that we don’t want them reinventing the wheel every time they write a new program. They should be focusing on solving business problems, not trying to figure out ways to manage mysql connections or handle and respond to API Gateway requests .:wink: This means we encourage the use of third-party dependencies. Dependencies that are easily compromised and can leak access keys , execute remote calls, and even be used to mine cryptocurrency .

These events may all seem unlikely, until they happen to your organization. And the more responsibility we put on developers to mitigate these issues, the more likely the lack of security training will rear its ugly head. In my experience, most junior developers (and sometimes even “experienced” ones) will respond with, “Umm, what’s SQL injection?” ♂

Emerging tools and best practices:flashlight:

I’m not trying to scare anyone off. I’m obviously a huge proponent of serverless and I definitely think you should give it a try if you haven’t already. But like most things shiny and new, it takes some time to work out the kinks and develop a set of best practices.

The community has been working hard to develop tools like the Serverless Framework to help us deploy and configure our serverless applications more easily. AWS has developed their own open source Serverless Application Model (SAM) , which is tightly coupled with CloudFormation to configure and deploy complex applications. There are even several companies building tools that focus on observability within our serverless applications, extending the basic insights that cloud providers are offering.

However, there has been little focus on security, which is what intrigues me about a company called PureSec . While I have no official relationship with them, I have chatted with their team a number of times. As a result, I have gotten a much better understanding of what they do and why it’s needed. I have yet to try their primary serverless security offering, but I did get a chance to play around with their free FunctionShield product. This is obviously a subset of what their full service can do, but it is quick and easy to implement, and provides some really great default protections.

What is FunctionShield and why do I need it?

FunctionShield is a security library (currently available for Node and python) that you package with your Lambda functions. Without using monkey-patching (which is a big deal that I’ll explain in a minute), it gives you the ability to:


I reached out to Ory Segal , CTO at PureSec, and asked him about these use cases and why they were so important. “We’ve heard of many customers that place their Lambda functions inside a VPC and position a NAT to block it from communicating outbound. Needless to say, that’s the wrong way to do things,” he said. “We’ve also met customers that asked us to block writing to the /tmp directory so that developers will not use it. This ask was because they don’t know whether this data will eventually leak during other executions between users.”

I think he is right on here. First of all, don’t put your Lambda functions in a VPC if you don’t have to. And second, the power that comes with global variable reuse and /tmp directory access is a double-edged sword. Reusing database connections and initialized packages is extremely effective and can gain you tremendous gains in speed, but you also run the risk of exposing sensitive user data if you don’t use them correctly.

He continued, “We were looking to give confidence back to developers allow them to control what the runtime can and can’t do, and most importantly, provide a way to monitor any kind of outbound connectivity, or child process execution.”

Again, I completely agree. Lambda functions are actually mini-linux servers that have capabilities well beyond simple function execution. A compromised third-party dependency, coupled with loose IAM permissions, could wreak havoc on your AWS environment. Now with FunctionShield, Ory says, “This is the first time developers can monitor 3rd party open source libraries in serverless environments.”

This all made perfect sense to me, so the next step was to give it a try and see if I could outsmart the security experts at PureSec ( spoiler alert: I couldn’t:no_good:♂).

Testing FunctionShield I had to

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles

Latest Images