Original article by Trend Micro
The demand for container and serverless technologies has increased in recent years. According to a market research and consulting firm, the global market size for containers is expected to grow from US$ 1.2 billion in 2018 to US$4.98 billion by 2023, while serverless architecture is projected to grow from US$7.6 billion in 2020 to US$21.1 billion by 2025. The increased demand for container and serverless technologies is due to the fact that enterprises can rely on them for scalability, efficiency, and cost-effectiveness when developing and deploying applications.
However, as with any burgeoning technology, container-based and serverless applications are not immune to risks and threats. It is only a matter of time before malicious actors, who are always casting wider nets to reach more potential victims, start targeting them frequently for various schemes. In this light, how can enterprises strengthen the security of such applications against potential attacks?
This article zeroes in on certain security considerations that developers need to know and the ways that they can build the best defense for container-based and serverless applications through runtime application self-protection (also known as RASP), a tool that incorporates security into an application at runtime.
RASP is a security tool that runs on a server and begins functioning every time that an application runs. Simply put, RASP is designed to detect malicious behavior in real time. RASP is capable of protecting applications from attacks by analyzing both an application’s behavior as well as the context of that behavior.
What are the benefits of RASP?
In essence, RASP provides real-time protection to applications. RASP can intercept all kinds of traffic that indicate malicious behavior like SQL injection, cross-site scripting (XSS), vulnerabilities, bots, and attacks deployed through email, Slack, and other message types.
Because RASP is built directly into an application, it is innately capable of monitoring application behavior. Thus, RASP can prevent attacks with high accuracy as it can discern between attacks and legitimate requests, thereby reducing false positives and allowing security engineers to focus on combatting more serious problems.
In addition, RASP also offers better protection from zero-day exploits. RASP offers a short-term fix if a patch for an application is not readily available for an extended period. To add, RASP is not dependent on any type of signature for an exploit because the baseline for proper operation is the application itself.
How RASP protects serverless applications
To illustrate how RASP secures serverless applications, we demonstrate how a function of Amazon Web Services (AWS) Lambda — a serverless service that allows enterprises to run code without server provisioning and maintenance — can be secured using Trend Micro Cloud One™ – Application Security.
In the Trend Micro research paper “Securing Weak Points in Serverless Architectures: Risks and Recommendations,” Alfredo de Oliveira, a Trend Micro Senior Security Researcher, created a proof of concept that involves an AWS Lambda function granted with high permissions to highlight the risks of implementing bad code on a serverless system. Under such a condition, threat actors could alter the Lambda function timeout and subsequently perform attacks such as privilege escalation and data exfiltration. It should be noted that for this proof of concept, we have configured the Lambda administrative privileges. By default, Lambdas have no permissions aside from those defined by the customer. In this light, customers should always follow the principles of least privilege when defining an execution role.
Figure 1 illustrates the attack chain involving an AWS Lambda function granted with high permissions, as described in the above paragraph. It should be noted that Cloud One – Application Security libraries are already preinstalled in the system.
Figure 1. An attack chain involving an AWS Lambda function with high permissions
How to automate RASP
Automating RASP is an even more effective approach to securing serverless applications. An AWS Lambda function template (for example, CloudFormation) contains the necessary RASP components to integrate Cloud One – Application Security into the AWS Lambda.
By providing these pieces of information in a CFN template, development teams can be empowered to launch an AWS Lambda function with the assurance that security is already a part of the application itself. This also limits the numerous manual steps that were mentioned previously.
RASP is a tool that enables organizations to “shift left,” which is an important direction that allows developers to use secure, well-understood patterns for secrets management and resilient coding practices.
On another note, while some might champion the benefits brought about by new security technologies like RASP, it is also possible that some skeptics who work under traditional processes might resist these changes. Still, these skeptics could be enlightened if organizations were to hold inclusive discussions about how each team or department can bridge the gap and work together toward building a strong DevSecOps culture. This culture, in turn, could be fostered by having development and security teams conduct proper software testing, integrated security, and operational visibility at all times.
Trend Micro Cloud One
While cloud service providers (CSPs) provide guidance and security features for their services, enterprises should still ensure that they improve the security of the services that are connected to their computing environment.
Adopting the shared responsibility model is key to securing these services as it requires both the CSP and the user to maintain areas of responsibility to keep their computing environment protected. In the case of AWS Lambda, it should be noted that the execution role only launches with permissions defined by the user. Therefore, customers should follow the principle of least privilege when defining an execution role.
Enterprises can also rely on the Trend Micro Cloud One security services platform. Cloud One provides enterprises centralized visibility over their hybrid cloud environments and real-time security with the following automated and flexible services:
- Application Security is an embedded security framework that proactively detects threats and protects applications and APIs on their containers, serverless, as well as other cloud computing platforms.
- Cloud Conformity performs hundreds of automated checks against industry compliance standards and cloud security best practice rules, improving the cloud infrastructure’s security and compliance posture.
- Container Security detects threats, vulnerabilities, and exposed sensitive data such as API keys and passwords within container images.
- Workload Security can automatically protect legacy systems with virtual patching and cloud workloads from evolving threats through machine learning (ML) technology.
- File Storage Security protects cloud file/object storage services that are on cloud-native application architectures via malware scanning and integrating into custom workflows.
- Network Security defends virtual private clouds by blocking attacks and threats and detecting infiltrations.