Let’s talk about something uncomfortable, security. It’s something I have been trying to collect articles on the past few weeks and given the recent news with AT&T, I think now is as good of a time as any to talk about serverless security.
To be clear, I am not really picking on AT&T. Honestly, I often point out how we live in an age where it seems like every other week there is some kind of newsworthy security breach. As digital services become more and more a part of our everyday life, it’s important that we have these discussions.
It is more important than ever for companies to invest in their security. Some organizations will cut corners to reduce costs thinking something to the effect of “well we haven’t had an issue yet so our policies must be really good” but really, it’s almost always not a problem until it is.
So let’s talk about the role of security in serverless and what strategies can be implemented.
The Serverless Security Market is HUGE
DataM Intelligence recently did a report on the Serverless Security Market Size. It is paywalled so I don’t have all the data available so I looked for similar reports to try to get a general feel.
A few months ago, another report shows that the market will reach $24.97bn in 2032. For context, in 2022, it was estimated that the market was worth $1.82bn. This is an over 20x growth!
This would make sense as other posts I have made demonstrates the growth of the market. A similar report shows that the serverless marketing is estimated to reach $40.9bn by 2031. With the growth of that market, it only makes sense that the market to secure that technology will grow too.
Many companies have either adapted to or sprung up to take part in this. For example, SysDig has a lot of opinionated methods for securing applications on FaaS platforms. CrowdStrike (currenty news stories withstanding) recently announced a solution for securing FaaS applications as well.
Now if you have read my posts, you know how I feel about FaaS and Serverless being treated as interchangeable. Serverless is more than just FaaS. However, companies like Palo Alto Networks does acknowledge the larger architecture of a FaaS applications and the resources it will connect to. They also support Cloud Run security for what it’s worth.
BeyondTrust also has some opionated takes on severless security. It’s important to realize that the applicaiton is only a small part of the overall security story.
Serverless APIs, Build vs Buy
I recently read a nice article on The New Stack that covers the benefits of a hosted API gateway. I think this brings up many good points that are not only valid for serverless computing but for cloud computing in general.
Now I may have a slight bias as Google Cloud offers Apigee as an API Management platform but so do AWS and Azure. There are even third party solutions like MuleSoft and Kong. This demonstrates that there is a market for hosted API management platforms.
There are a myriad of ways to leverage open source technology to do this yourself. For example, Emissary Ingress is pretty much the preferred open source API Gateway for cloud native computing. It is even a CNCF incubated project.
There are other open source projects such as Tyk or KrakenD for open source management. With tools like these, there are many ways to manage serverless APIs yourself without having to reinvent the wheel. The problem lies with long-term management.
To be clear, I LOVE open source and have nothing against it. However, in my experience, many organizations will opt to manage their own open source platforms in an effort to save money. They look at a vendor and see what they charge and then they see the “free” price tag on an open source project and decide that free is better.
What they often fail to realize is that there is a lot of hidden cost with regards to time lost in managing your own platform. Some companies have the in house resources to manage it long term but many don’t.
When it comes to security, you can’t afford to cut corners. It is always good to look for a strong managed service to handle the security of your serverless offering. I won’t endorse a specific product but will rather encourage you to do your due diligence but will also refer you to this great article.
Who Will Sca-a-an Your Code?
You know what can cause a security breach? Bad code. Does your code have a security flaw in it? Is the code that you wrote the same code being deployed? How secure is that container image that you are using? Where are you storing your keys?
These are only some of the questions you should be asking. Our friends at Wiz wrote some interesting security suggestions and I happen to agree. Securing your IDE is probably the first step to security.
IDEs have come a long way since I started coding. I remember using Notepad++ for things back in the day. Now you can use something like Visual Code (my goto IDE) and integrate a ton of plugins to connect to your Git repo, test your code, deploy directly to the cloud, integrate security tokens and more. But with all of these extensions, are you really secure?
I always recommend people check what kind of plugins they are installing and if it is from a reliable source and what permissions are they requiring. I also ask them to look and see if it requires installing something additional onto your machine. Minikube, for example, is often used with Kubernetes integrations. While Minikube in and of itself isn’t problem, it does create an additional attack surface on your machine.
For the love of all things good in the world, do not store your keys in plain text in your code. Some jailbreakers found this in the Rabbit R1 device recently. There are so many key management systems out there, use those.
Since we are talking serverless containers, consider using hardened images. My friends at Chainguard offer some amazing solutions around that but there are others. This is not a paid advertisement by the way. I just find what they are doing to be really cool.
Finally, securing your CI/CD pipeline. Make sure that everything is encrypted. Scan your code as it’s being built. Use some form of policy enforcement such as Kritis.
Finally, log, log, log, log. Be sure to capture everything that is happening so that you can react.
Final Thoughts
Security is important. We can go all day talking about serverless security. In no way should this post be seen as the tome of truth with security. This is just something to get your started. There are things I didn’t cover such as database security. One thing I recommend is finding a great security vendor. I know with the recent news, it sounds like an awful idea but honestly, you need it.
As serverless becomes more and more popular, we need to ensure that we aren’t getting lax with our security and are doing everything that we can to minimize the attack surface and avoid being on the front page of the Wall Street Journal due to a massive security breech.
—Photo courtesy Nicholas Githiri on Pexels—