Content Contribution: Security page

[rupakg]

Description

Add content to the Security section of the guide.

Filename: /guide/source/security/README.md

Page/Section: Security

Contributing Author: Shaked Zin (PureSec)

Details:

Some suggested ideas and guidance for content in this section:

Security

• How is security different in the serverless world?
• Are there new concerns and challenges?
• Are the existing best practices for security for cloud workloads still relevant?
• Is relying on external auth providers, giving up control?
• Managing data compliance and governance around company security policies?

Positives being Serverless

• Not managing infrastructure is a huge positive as you don’t have to deal with OS, Kernel, software vulnerabilities.
• Endpoint protections/application white listing/ - does not apply to serverless
• Networking solutions, looking at the entire network to prevent attacks - does not apply to serverless
• DDoS - distributed attack on events, API Gateway handles it - - does not apply to serverless, taken care by provider

Surface Area

• Surface area for attack
  • The surface area may seem small but due to the proliferation of functions, it increases the surface area of attack.
• Security distributed across functions
  • that is a positive but one bad function can spoil it for all. Access control/least priviledges is utmost important
• Does small execution times reduce exposure?
  • Less time to sniff data off a function
  • Backdoors are not relevant in cloud workloads

Data Sharing

• How is data shared in a stateless environment?
• How is data isolated?
• How can data be compromised in transit?

Integrations

• How do integrations with Auth services and providers work?
• Example of some services and auth providers - Auth0, Cognito

Application Vulnerabilities

• Code injection into code (OWASP - researching), not dealing with input correctly, input validation of name of file (XRSF/CSRF), logging sensitive information
• Attacks effecting the deployment, man-in-the-middle attacks
• When the attacker compromises a function, what they can do in AWS is based on how the Access Control/permissions are set and effect DynamoDB, SNS (phishing email), permission to create users (persistency attacks), create other functions etc.
• Vulnerability Scanning of deployed artifacts (dependencies, node_modules, binaries etc.)
• Anamoly Detection: Are processes running as desired, understand normal functioning of functions and compare it to abnormal behavior, and identify anomalies

Access Management

• Access Control groups and permission sets
• Role-based access (IAM roles)
• What about other provider-specific roles?

Vendor Specific

• How does it translate to the Framework? Does it make it easier to manage? PureSec security plugin
• Automatic setting of least privileged IAM roles/permissions
• Vulnerability Scanning