Serverless computing is transforming the way organizations build, ship, automate and scale applications. With no need to worry about infrastructure or who’s going to manage it, developers are free to focus on application development and innovation. The payoffs can be significant:
- Faster time to market: When you reduce operational overheads, development teams can release quickly, incorporate feedback and get to market faster.
- Lower operating costs: By only paying for the resources you use, you’re never over-provisioning.
- Free-up developer time: Built-in service integrations mean more time to focus on building applications instead of configuring them.
- Flexibility at scale: Go from zero to full-throttle at peak demand, meeting customer needs faster and more efficiently.
FaaS-ter development cycles
For many organizations, moving to serverless means AWS Lambda. Operated by Amazon, it’s the most popular serverless computing service, allowing users to create functions that can be uploaded to Lambda for execution.
With no need to upload code to servers or configure backends, developers are able to release working versions of applications quickly and easily. Additionally, because every application is a collection of functions (rather than a single stack), adding new features, updates, patches or fixes can be done without needing to make changes to the whole application. Popular Lambda functions include web applications, calling APIs, task automation, data processing and integration with other AWS services.
While serverless offers multiple advantages over traditional cloud-based or server-centric approaches, it also introduces new challenges from a security perspective. When you’re deploying software at such a high pace, how is this code being protected from attacks? That’s taken care of by the cloud provider, right? Wrong.
What you need to know about moving to AWS Lambda
Each Lambda function runs inside its own container on a multi-tenant cluster of machines managed by AWS. The key point here is that AWS Lambda operates on a shared responsibility model. In other words: While AWS manages security of the cloud, security in the cloud is the responsibility of the customer.
This is important, because serverless functions introduce these new security risks:
New attack vectors: Novel attack vectors, such as event data injection and business logic manipulation, take advantage of the architectural flexibility.
Less relevant vulnerability scans: Because the end-user just owns the application in the stack, vulnerability scanning on the entire stack becomes less relevant – and first-party scanning becomes more important.
Faster, more scalable development: Development and DevOps teams are taking advantage of serverless functions for speed – to be genuinely effective, your security will have to scale fast.
Securing serverless functions can be challenging. In addition to dealing with ubiquitous and ephemeral computing, many of the attack vectors themselves are non-traditional: event injection, denial of wallet, and business logic manipulation are just some of the issues you’ll need to take into account. Also, with widespread use of third-party libraries fueling the fast-paced development cycle, even organizations with secure coding practices can struggle to manage risk in the software supply chain. For these new attack vectors, traditional protection mechanisms like perimeter and endpoint security can’t be deployed.
Serverless warrants a different security approach
High-speed application development needs security that can keep pace – without slowing down updates and launches. Effective approaches to mitigating vulnerabilities within serverless functions include:
- A positive security model (deny by default) that protects code against zero-day attacks without requiring signature updates or machine learning.
- Comprehensive visibility into all serverless functions to eliminate blindspots and protect against vulnerabilities embedded in first and third-party code – the underlying risk factors in a software supply chain attack.
- Protect against the OWASP Serverless risks, including misconfigurations, code-level risks, and injections.
- Automated mitigation to provide security at the pace of development, allowing DevOps and DevSecOps teams to protect without code or configuration changes.
Gain visibility and control over your AWS Lambda functions
AWS Lambda can make a big impact on your organization: learn more about the different approaches to securing those benefits, join Imperva Chief Technical Officer, Kunal Anand, and Peter Klimek, Director of Technology, for our ‘How to Migrate to AWS Lambda Without Overlooking Security’ webinar on July 15th. You’ll learn more about what it means to adopt serverless technology, why organizations need to secure their serverless functions, how to secure your transition to AWS Lambda, and have the opportunity to ask questions.
To make it even easier, Imperva is offering FREE Serverless Protection for AWS Lambda until the end of 2021, giving you the chance to see how comprehensive visibility, automated mitigation and security at the speed of development can transform your AWS Lambda environment. Register today.
The post Moving to AWS Lambda? Here’s what you need to know appeared first on Blog.
*** This is a Security Bloggers Network syndicated blog from Blog authored by Rajaram Srinivasan. Read the original post at: https://www.imperva.com/blog/moving-to-aws-lambda-heres-what-you-need-to-know/