Procedures to Secure the API of a Serverless Application
Serverless computing is trending among developers. It has empowered mid-level software developers to build large applications, which requires the help of senior-level architects. It also provides a high level of flexibility in scaling for the run-time environment.
Traditional cloud services provide infrastructure for outsourcing of the operations of a data center to a remote location. The development teams need to plan for resource usage like the amount of servers and storage required, location of instances, and all the other necessary resource usage. They also need to know about the consumption of the resources as usage may increase or decrease according to the demand. Serverless computing applications handle all the orchestration and application capacity controls with its function-as-a-Service (FaaS) platform. The FaaS platform allows the developer to build and deploy an application without knowing about the infrastructure controls. It is also a cost-effective model as the enterprises don’t need to pay for any idle time. AWS first introduced serverless technology with its lambda Platform, which was followed by Google Cloud Functions, and Microsoft’s Azure Functions.
Serverless computing services allow any developer to put their code on the internet without the approval of a DevOps team, security team, or any group that traditionally had the ability to control the launch of a business application. However, this has created concerns for the organizations, as any level of developers can deploy codes and jeopardize their security. Organizations have security concerns for the Application Programming Interfaces (APIs), as sensitive data is transferred in today’s application designs. Any application that is pushed without appropriate security assurances can create attack vectors for hackers to extract data.
According to Gartner API gateways are the best practice for serverless computing, but available API gateways have limitations. Developers also avoid using multiple cloud platforms for a single application. Here a few ways to secure API of serverless applications:
API Definition and specification: The enterprises need to have an API definition of what the serverless app can do. It should meet the standard specification like Swagger or OpenAPI v3.
Authentication and Encryption: Serverless applications should have appropriate identity verification tools. Organizations need to enable SSL encryption with proper handling of encryption keys and app secrets. Hackers tend to take advantage of poor AppSec hygiene, so the essential security controls should be handled properly.
Data Sources: Enterprises need to identify the types of data sources, which the serverless applications have access to. It should fall within the automated SDLC audit and security assessment.
By Chris Tjotjos, VP, Cisco Solutions Practice, Black Box...
By Laura Jackson, Sr. Manager-Risk Management, ABS Consulting
By Jason Cradit, VP of Information Systems, Willbros Group
By Steve Garske, Ph.D., Senior Vice President & Chief...
By Roman Trakhtenberg, CEO, Luxoft
By Renee P Wynn, CIO, NASA
By Mike Morris, CIO, Legends
By Louis Carr, Jr., CIO, Clark County
By Andrew Macaulay, CTO, Topgolf Entertainment Group
By Dominic Casserley, President and Deputy CEO, Willis...
By Dave Nelson, SVP-Portfolio Lead, Avanade, Inc.
By Michael Cross, SVP & CIO, CommScope Holding Company Inc.
By Pauly Comtois, VP DevOps, Hearst Business Media
By Dan Adam, CIO, Extreme Networks
By Matt Schlabig, CIO, Worthington Industries
By David Tamayo, CIO, DCS Corporation
By Scott Cardenas, CIO, City and County of Denver
By Marc Kermisch, VP & CIO, Red Wing Shoe Co.
By Brian Drozdowicz, VP, Digital Services, Siemens...
By Les Ottolenghi, EVP and CIO, Caesars Entertainment