Off-by-none: Issue #2
September 11, 2018
Serverless Security, yeah, that's all I want from you
Hey, Everyone! Welcome to Issue #2 of Off-by-none. Thanks so much for being here. 🙌
Last week we talked about the goal of Off-by-none and introduced a new way to think about managing MySQL connections at serverless scale. This week, I want to focus on security, and how we can use cloud provider tools, common sense strategies, and other vendor solutions to lock down our serverless applications.
Here we go! 🚀
When you install a compromised third-party dependency... 🤦🏻♂️
Not too long ago, 54% of the NPM ecosystem was compromised by using a series of brute force attacks, leaked datasets, and fuzzing passwords. NPM has continued to add more protections to mitigate these types of risks, but nothing is foolproof. Sometimes, the developers using them are to blame for installing malware with similar names to popular packages. As with the NPM hack above, sometimes the compromised dependency could be way down the dependency chain. This could leave your application, user data, credentials, and even access keys, extremely vulnerable.
This isn't meant to scare you away from serverless. In fact, the issues above aren't even specific to serverless. However, the built-in scalability of FaaS is what can exacerbate an attack by spinning up thousands of functions to do a hacker's bidding. So, when building serverless applications, we want to do whatever we can to minimize these types of risks.
There are some serverless security basics that developers should really know. These will go a long way to mitigating a number of popular attack vectors. Serverless also requires us to think about event injection since many of our functions will be processing events without protection from WAFs or WSGs. But beyond the basics, we still run the risk of compromised third-party packages leaking sensitive information when we run our functions.
I had conversation with Ory Segal, the CTO at PureSec about this and gave their free FunctionShield product a try. I wrote a posts called Serverless Security: Locking Down Your Apps with FunctionShield which tests it out and goes through the pros and cons. Perhaps some day the cloud providers will add additional security controls, but until then, I really think this is worth a look.
When you feel like geeking out with serverless... 🤓
Troy Hunt, creator of haveibeenpwned.com, wrote an excellent post about how it only costs him 2.6 cents per day to support 141M monthly queries of 517M records. Yeah, I didn't quite believe it at first either, but read the post and see for yourself: Serverless to the Max: Doing Big Things for Small Dollars with Cloudflare Workers and Azure Functions. 💰
Sam Bashton over at runbook.cloud threw some shade at Ben Kehoe with his How We Massively Reduced Our AWS Lambda Bill With Go post. He argues that single thread, single task functions are NOT always the best choice for serverless. Several people (including myself) weighed in on the Twitter debate. 😬
The New Stack had a chat with Nate Taggart from Stackery and discussed Serverless Analytics: Metrics, Collection and Visibility. Some interesting bits in there about the challenges with tracing, logging and observability in serverless applications. 🔭
And speaking of tracing, AWS X-Ray Now Supports Amazon API Gateway and New Sampling Rules API. This was a huge missing feature of X-Ray. I've haven't tried it yet, but it is on my list of things to do. 📝
When Jeff Barr (aka The Wizard of AWS) decides to share the love... ❤️
Jeff Barr not only gave a ringing endorsement of Marcia Villalba's new Getting Started with AWS SAM video series, but also tweeted a link (with one of his classic screenshots) to Lambda API. If you're not familiar with Lambda API, it's a lightweight web framework, built specifically for serverless applications. It's similar to to ExpressJS and Fastify, just ridiculously smaller with ZERO dependencies.
I think we all know by now that minimizing dependencies helps to secure and speed up our serverless apps. But size matters too. The other day I had put together this infographic that shows the comparison between the node_modules directories of different web frameworks and their total package sizes:
These libraries are great for servers, but Lambda API is so small, it adds almost nothing to your cold start times. There is an important lesson here, especially when you follow the “single purpose” best practice.
When you realize there are people smarter than you... 🧠
There are a few webinars coming up that look extremely interesting. These are all AWS Online Tech Talks, so they are free to attend. I've been looking for webinars from other providers as well, but Amazon seems to be the leader here. If you know of any great webinars coming up, please let me know.
- Serverless Application Debugging and Delivery – September 19, 2018 at 9 AM PT
- How to Integrate Natural Language Processing and Elasticsearch for Better Analytics – September 18, 2018 at 9 AM PT
- Best Practices for Building Enterprise Grade APIs with Amazon API Gateway – September 18, 2018 at 1 PM PT
Serverless Star of the Week ⭐️
There is a very long list of people that are doing #ServerlessGood and contributing to the Serverless community. These people deserve recognition for their efforts. So each week, I will mention someone whose recent contribution really stood out to me. I love meeting new people, so if you know someone who deserves recognition, please let me know.
This week's star is Adnan Rahić (@adnanrahic). He's a developer advocate at Dashbird as well as the author of Serverless JavaScript by Example. I chose Adnan this week because of the recent posts he's been adding to his Medium blog and his DEV.to profile. I personally love reading and sharing posts like his Crash course on Serverless with AWS — Triggering Lambda with SNS Messaging, because they provide practical and useful examples that others can follow and implement. It's inspiring to see others using and having success with serverless, so posts like these help lower the barrier for adoption.
He's also got another great post that looks at Containers vs. Serverless from a DevOps standpoint. Excellent read for those of you looking for an apples-to-apples comparison.
Final Thoughts 🤔
Security is an extremely important consideration when building our serverless applications. And since developers are now much closer to the execution environment, we must remember that with great power comes great responsibility. I think it's imperative that the serverless community continues to focus on security best practices, and I hope all of us will continue to do our part.
I hope you enjoyed this issue of Off-by-none. Please send me your feedback so I can continue to make this newsletter better each week. Reach out via Twitter, LinkedIn, Facebook, or email and let me know your thoughts, criticisms, or even how you’d like to contribute to Off-by-none.
Go build some great (and secure) serverless apps. Hope to see you next week!
Take care,
Jeremy
Sign up for the Newsletter
Stay up to date on using serverless to build modern applications in the cloud. Get insights from experts, product releases, industry happenings, tutorials and much more, every week!
Check out all of our amazing sponsors and find out how you can help spread the #serverless word by sponsoring an issue.
About the Author
Jeremy is the CEO and Founder of Ampt and an AWS Serverless Hero that has a soft spot for helping people solve problems using serverless. He frequently consults with companies and developers transitioning away from the traditional “server-full” approach. You can find him ranting about serverless on Twitter, in several forums and Slack groups, hosting the Serverless Chats podcast, and at conferences around the world.
Nominate a Serverless Star
Off-by-none is committed to celebrating the diversity of the serverless community and recognizing the people who make it awesome. If you know of someone doing amazing things with serverless, please nominate them to be a Serverless Star ⭐️!