The OWASP Top 10 is the standard for security professionals to understand risks and attacks that their web applications may face.
In Serverless applications, a lot of the heavy lifting, mostly the administration of the server, is taken care of by the cloud provider. But we musn't become complacent because of this. Our serverless applications still execute code, and therefore may still be vulnerable.
In 2018 OWASP published the OWASP Serverless Top 10. This is an effort to address the common application security risks and attacks that a serverless application may face. Here they are:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site-Scripting
- Insecure De-Serialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
Wait a minute.... the eagle eyed among you may be thinking 'These look familiar'. Yup, I had to double take too. You're right, they're exactly the same list as the OWASP Top 10, the order is even exactly the same. So what does this mean?
As I said earlier, our serverless applications still run and execute code, if that code is written insecurely, then it's going to be vulnerable to the same application level attacks as our traditional applications.
In most cases, the attacks will be very similar, but what you can't tell from a list of ten headings ๐ is that there are some serverless specific variations of these attacks. There are variations for each category, but in my opinion, and to keep this at blog post length, as opposed to book length, the most cloud/serverless fundamental variations are found in the following categories.
- Broken Authentication
- Broken Access Control
- Security Misconfiguration
- Insufficient Logging / Monitoring
These are the three that we'll be looking at examples of for Microsoft Azure in this article.
What is is
Easy AUth in Azure Functions - AD B2C for more adavanced.
Lot os different resources make up a serverless system. Attackers will exploit the connections between these, so a strong access control policy is very important here.
- Least Privilege
- No keys in App Settings, use Key Vault instead, but limited keys
- Remember serverless is more than just functions... -SEcurity center reccomendations
- Storage security guide (link)
- Functions best practices (link)