With increasing regularity during customer calls we hear something similar to this:
We are moving to a serverless architecture and don’t know how to go about threat modeling this. Can you help?
What is “serverless”?
Our knowledgeable security department were soon tasked with researching security around serverless. The precise term for serverless itself is a little fraught to define, but for the purposes of clarity we will go with Twillio’s definition:
Serverless architecture (also known as serverless computing or function as a service, FaaS) is a software design pattern where applications are hosted by a third-party service, eliminating the need for server software and hardware management by the developer. Applications are broken up into individual functions that can be invoked and scaled individually.
With a serverless architecture, you focus purely on the individual functions in your application code. Services such as Twilio Functions, AWS Lambda and Microsoft Azure Functions take care of all the physical hardware, virtual machine operating system, and web server software management. You only need to worry about your code.
What is Lambda?
Any investigation into serverless is soon to discover the importance of AWS Lambda; and again, for the sake of clarity, let us run with Michael Zaczek’s succinct description:
Lambda is a service that allows you to run your functions in the cloud entirely serverless and eliminates the operational complexity.
You upload your code to Lambda, and it takes care of everything required to run and scale its execution and fulfill conditions and high availability requirements.
Lambda supports several programming languages so you can choose the most suitable. It integrates with API gateway, enables you to invoke functions with API calls, and makes your architecture completely serverless. There are several ways to invoke a function: an event, another AWS service, or another service or application.
And so the Continuum Security team set about serverless threat model with Lamdba. In usual circumstances if a technology were unfamiliar we would set about researching it and usually unearth some available best practice security standards approved by industry that would help, but in this instance there was very little available to leverage.
As the AWS cloud environment already exists in our knowledgebase the security team did not have to concern themselves with the many security considerations related to such an environment and so could focus explicitly on Lambda. The first task with threat modeling is to enumerate potential threats – put simply, to identify the soft-underbelly through which an attacker may exploit. Happily, Continuum joined forces with one of our partners and began this process.
Towards the end of this process the OWASP Top 10 for Serverless project was released against which we were able to validate and perfect our libraries. And a special thanks to We45 for reviewing the library before publication.
We have created a table with the main threat vectors against Lambda together with the recommended countermeasures. This table can be downloaded in XLS format from here.
Serverless is the new ‘hot thing’ and I don’t mean that in a derogatory fashion as it offers great advantages for deployment and scaling and IriusRisk is at the forefront of tackling the hard security questions in emerging technologies, so that our customers don’t have to.