Serverless Security

By Miguel A. Calles
serverless security

What is serverless security?

Serverless technologies provide many benefits. They can reduce operating costs and time spent managing servers. Although there are no servers, there is still a cybersecurity risk. Miguel A. Calles wrote a book that guides on how to put cybersecurity into practice in serverless. Importantly, the book on Amazon marketplace “Serverless Security: Understand, Assess, and Implement Secure and Reliable Applications in AWS, Microsoft Azure, and Google Cloud” is available for sale on Amazon. It has thirteen chapters and over 350 pages with several examples. Watch the explainer video below to learn more. Moreover, the book explains how to perform a risk assessment and areas to address security. The different areas include securing code and interfaces, permissions, configuration, auditing, and more. There are many areas to serverless to consider.

Are you looking to move to serverless technologies while having a more secure environment? Oxtrabot Systems is a partner in the AWS Partner Network and want to help you on your serverless journey. We will explain the advantages of serverless and focus points to consider regarding serverless security assessments.

cybersecurity engineer

Serverless Security
By Miguel A. Calles

About the author:

Miguel A. Calles is the author of the “Serverless Security” book and a certified Cybersecurity engineer who works on cloud computing projects. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and has worked on large military systems spanning various engineering roles in his career. Miguel started Cybersecurity training in 2016 for a U.S. government contract, has been doing technical writing since 2007, and has worked in multiple engineering roles since 2004.

Miguel has a Bachelor of Science degree in Material Science and Engineering from the Massachusetts Institute of Technology (MIT), a Master of Business Administrator (MBA) degree from the University of Florida, a Cloud Security Alliance’s (CSA) Certificate of Cloud Security Knowledge (CCSK) certification, and a CompTIA A+ certification. 

aws security tools
  • Establish access controls and permissions
  • Automate security controls
  • Deployable on Amazon AWS
  • Increased security with serverless code
  • Ensure best practices in the network

Serverless services like AWS Lambda come with automatic scaling, built-in high availability, and a pay-for-value billing model. Lambda is an event-driven compute service that enables you to run code in response to events from over 150 natively-integrated AWS Security Tools. 

Accomplishing this all without managing any servers while referenced on Amazon Partner Program. For more information:


Chapter 1 Introduction to Cloud Security:

In this chapter, we will review cloud computing and how its security evolved. We will learn how serverless computing relates to cloud computing and how securing serverless computing differs from the typical cloud computing Cybersecurity. We Cybersecurity, how it applies to cloud computing, and why it is needed. This chapter will set the foundation for Cybersecurity in serverlesscomputing by putting it in the context of cloud computing and its security.

Chapter 2 Performing a Risk Assessment:

In this chapter, we will learn how to perform a risk assessment for a serverless application. We will explore how to understand how the application works, which includes reviewing documentation, source code, and system accounts and using the application. We will discuss why we scope the risk assessment. We will learn how to develop a threat model and how to use it to start creating the risk assessment.

Chapter 3 Securing the Code:

In this chapter, we will review the importance of securing the application code. We will learn how to choose the runtime and version for our serverless functions and how to assess any libraries and dependencies they use. We will discuss static code analysis tools, unit tests, and regression tests and how they help secure our application code. Finally, we will learn how multiple events can trigger serverless functions and review examples on performing input validation on those events.

Chapter 4 Securing Interfaces:

In this chapter, we will review the function triggers and provide a use case for each. We will discuss how to identify the different interfaces defined in the Serverless configuration file and function code.

Chapter 5 Configuring the Application Stack:

In this chapter, we will review the organization of the Serverless configuration file. We will explore good practices for us to consider using in each configuration section.

Chapter 6 Restricting Permissions:

In this chapter, we will discuss how we might use permissions in AWS, Azure, and Google Cloud. We might consider them as a first-line defense in our serverless environment from attacks on functions and account takeovers. Therefore, we should understand how to implement them. We will learn the permission capabilities each provider has and how we might use them.

Chapter 7 Account Management:

In this chapter, we will discuss how we might manage our account to reduce risk and improve security. The provider account allows us to access multiple services and create numerous resources. We will learn how we might use various accounts to organize the resources we create and how to secure our account by implementing standard practices.

Chapter 8 Secrets Management:

In this chapter, we will discuss how you might protect our secrets using provider services. We will explore the various ways AWS will enable us to encrypt secrets. Based on this exploration, we will select an approach that has a balance between encryption and convenience, and explore that approach in Azure and Google Cloud.

Chapter 9 Authentication and Authorization:

In this chapter, we will define authentication and authorization. We will review different approaches for implementing both in our serverless application, discuss where those approaches might apply, and provide some security practices for each. Lastly, we will review services and capabilities that AWS, Azure, and Google Cloud provide to help us implement authentication and authorization.

Chapter 10 Protecting Sensitive Data:

In this chapter, we will discuss some principles for protecting sensitive data. We will consider sensitive data to be information that are not secrets but might still result in damage when putting multiple pieces of data together. For example, driver’s licenses, birthdays, medical history, and so on are sensitive data. We will learn how to apply these principles in the cloud provider services, the software used to build the application, and the application configuration.

Chapter 11 Monitoring, Auditing, and Alerting:

In this chapter, we will discuss monitoring, auditing, and alerting. We will consider monitoring to be the process and tools we use to assess our application, auditing to be the process of looking for deviations from desired settings, and alerting to be the notification process when there are monitoring and auditing findings. We will review cloud provider services we can use to implement monitoring, auditing, and alerting.

Chapter 12 Additional Considerations:

In this chapter, we will review additional topics for us to consider in our project. They are based on situations from projects using the Serverless Framework and Cybersecurity concepts. The topics we will review are in no particular order and were reserved for the penultimate1 chapter to share additional thoughts without disrupting the main messages from the previous chapters.

Chapter 13 Finalizing the Risk Assessment:

In this chapter, we will discuss how to finalize the risk assessment we started in Chapter 2 to present it to our business stakeholders. So, want to learn more? Click the button below!

Intelligent Services - Boulder