"If you migrate to a #serverless architecture, you don't have to worry about anything anymore! โ๏ธ"
That's obviously not true for many points, including security! ๐
How ๐ฐ๐ฟ๐ถ๐๐ถ๐ฐ๐ฎ๐น ๐น๐ผ๐ด๐ด๐ถ๐ป๐ด helps to secure your application โ
That's obviously not true for many points, including security! ๐
How ๐ฐ๐ฟ๐ถ๐๐ถ๐ฐ๐ฎ๐น ๐น๐ผ๐ด๐ด๐ถ๐ป๐ด helps to secure your application โ
๐ง๐ต๐ฟ๐ฒ๐ฎ๐ฑ ๐ข๐๐ฒ๐ฟ๐๐ถ๐ฒ๐ ๐งต
โข It's not all fun & games
โข Why Logging is crucial
โข Invocation/Event Inputs
โข Response Payload
โข Performance Levels
โข Authentication Requests
โข Service Usage Indicators
โข The 4 W's
โข What you should never log ๐ฅ
{ 1 | 17 }
โข It's not all fun & games
โข Why Logging is crucial
โข Invocation/Event Inputs
โข Response Payload
โข Performance Levels
โข Authentication Requests
โข Service Usage Indicators
โข The 4 W's
โข What you should never log ๐ฅ
{ 1 | 17 }
๐๐โ๐ ๐ป๐ผ๐ ๐ฎ๐น๐น ๐ณ๐๐ป ๐ฎ๐ป๐ฑ ๐ด๐ฎ๐บ๐ฒ๐!
Serverless brings in a lot of benefits and helps developers to focus more on actually focusing on writing their apps instead of running and maintaining them
But it's not the holy grail that drops all responsibilities
{ 2 | 17 }
Serverless brings in a lot of benefits and helps developers to focus more on actually focusing on writing their apps instead of running and maintaining them
But it's not the holy grail that drops all responsibilities
{ 2 | 17 }
You still need to be aware of your web threats like cross-site scripting and #SQL injections.
And there's more:
โข Broken Authentication
โข Insecure Storage of App Secrets
โข Insecure deployment settings
โข Misuse of permissions
โข Improper exception handling
{ 3 | 17 }
And there's more:
โข Broken Authentication
โข Insecure Storage of App Secrets
โข Insecure deployment settings
โข Misuse of permissions
โข Improper exception handling
{ 3 | 17 }
Additionally, serverless brings in unique threats to take care of like #DoSattacks for ๐ณ๐ถ๐ป๐ฎ๐ป๐ฐ๐ถ๐ฎ๐น ๐ฒ๐
๐ต๐ฎ๐๐๐๐ถ๐ผ๐ป.
A thing that's often missed out on:
Logging is crucial for your application security as it can lead to huge issues later.
{ 4 | 17 }
A thing that's often missed out on:
Logging is crucial for your application security as it can lead to huge issues later.
{ 4 | 17 }
No system is 100% secure, but #logging will help to understand the flaws that were used to compromise our system.
We can use this information to fix flaws, build blocklists, or identify compromised accounts.
{ 5 | 17 }
We can use this information to fix flaws, build blocklists, or identify compromised accounts.
{ 5 | 17 }
๐๐ป๐๐ผ๐ฐ๐ฎ๐๐ถ๐ผ๐ป/๐๐๐ฒ๐ป๐ ๐๐ป๐ฝ๐๐๐
A first start is to log the inputs that are received by each function - regardless of whether they are internal or external.
It can help to retrace steps that were taken by the attacker or how validations were avoided.
{ 6 | 17 }
A first start is to log the inputs that are received by each function - regardless of whether they are internal or external.
It can help to retrace steps that were taken by the attacker or how validations were avoided.
{ 6 | 17 }
๐ฅ๐ฒ๐๐ฝ๐ผ๐ป๐๐ฒ ๐ฃ๐ฎ๐๐น๐ผ๐ฎ๐ฑ
Similar to invocation inputs, logging outputs help to analyze and mitigate security breaches.
In the worst-case - not being able to stop attacks - we can at least identify what information was stolen.
{ 7 | 17 }
Similar to invocation inputs, logging outputs help to analyze and mitigate security breaches.
In the worst-case - not being able to stop attacks - we can at least identify what information was stolen.
{ 7 | 17 }
๐ฃ๐ฒ๐ฟ๐ณ๐ผ๐ฟ๐บ๐ฎ๐ป๐ฐ๐ฒ ๐๐ฒ๐๐ฒ๐น๐
If a function performs badly and now takes 2.5s instead of 250ms to complete a task, we can end up in financial misery as we're paying what we use in #serverless land.
Logging for this purpose depends heavily on the use case.
{ 8 | 17 }
If a function performs badly and now takes 2.5s instead of 250ms to complete a task, we can end up in financial misery as we're paying what we use in #serverless land.
Logging for this purpose depends heavily on the use case.
{ 8 | 17 }
Nevertheless, it's vital to have this in mind when planning the application critical logs.
At Dashbird, we're also collecting & aggregating detailed insights about all of your function's performances. Having this in a single place will save time & money.
{ 9 | 17 }
At Dashbird, we're also collecting & aggregating detailed insights about all of your function's performances. Having this in a single place will save time & money.
{ 9 | 17 }
๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐ฅ๐ฒ๐พ๐๐ฒ๐๐๐
If your app has a protected area, it's important to log for authentication requests, especially failed ones.
Look for odd requests or patterns.
Maybe there's a spike in failed requests for emails that aren't even known
{ 10 | 17 }
If your app has a protected area, it's important to log for authentication requests, especially failed ones.
Look for odd requests or patterns.
Maybe there's a spike in failed requests for emails that aren't even known
{ 10 | 17 }
This could indicate that someone's scanning a list of leaked passwords to find potentially vulnerable accounts in your app
Authentication logging can alert that someone is scouting our app for weak spots.
By that, you can introduce countermeasures before an attack
{ 11 | 17 }
Authentication logging can alert that someone is scouting our app for weak spots.
By that, you can introduce countermeasures before an attack
{ 11 | 17 }
External sources like ๐๐ฎ๐๐ฒ ๐ ๐ฏ๐ฒ๐ฒ๐ป ๐ฃ๐๐ป๐ฒ๐ฑ can be very helpful here
Preemptively search for compromised accounts & lock them, asking for a password reset.
Your customers will love to receive a preventive serverless security alert
haveibeenpwned.com
{ 12 | 17 }
Preemptively search for compromised accounts & lock them, asking for a password reset.
Your customers will love to receive a preventive serverless security alert
haveibeenpwned.com
{ 12 | 17 }
๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐จ๐๐ฎ๐ด๐ฒ ๐๐ป๐ฑ๐ถ๐ฐ๐ฎ๐๐ผ๐ฟ๐
It's always a good idea to log service usage indicators
Even with carefully planned costs & pricing structures, there could be things that went unseen
Maybe mistakes were made at dimensioning costs & pricing of our app
{ 13 | 17 }
It's always a good idea to log service usage indicators
Even with carefully planned costs & pricing structures, there could be things that went unseen
Maybe mistakes were made at dimensioning costs & pricing of our app
{ 13 | 17 }
Maybe there are cost spikes as some authorization logics are bypassed and someone is free-riding on our backs.
Logs will help to
โข narrow down contributing services
โข who was contributing to the cost spikes
โข where services abused in a way we didn't expect?
{ 14 | 17 }
Logs will help to
โข narrow down contributing services
โข who was contributing to the cost spikes
โข where services abused in a way we didn't expect?
{ 14 | 17 }
๐ง๐ต๐ฒ ๐ฐ ๐ช'๐
Based on OWASP Logging Cheat Sheet Recommendations, we should be logging:
โข When
โข Where
โข Who
โข What
...in every function invocation!
This applies to all items that we discussed.
cheatsheetseries.owasp.org/cheatsheets/Loโฆ
{ 15 | 17 }
Based on OWASP Logging Cheat Sheet Recommendations, we should be logging:
โข When
โข Where
โข Who
โข What
...in every function invocation!
This applies to all items that we discussed.
cheatsheetseries.owasp.org/cheatsheets/Loโฆ
{ 15 | 17 }
We at Dashbird.io help you with all of them by providing the observability that lacks your serverless environment while providing monitoring & alerting
Spend less time debugging with detailed, noise-free insights and always be on top of what's going on
{ 16 | 17 }
Spend less time debugging with detailed, noise-free insights and always be on top of what's going on
{ 16 | 17 }
A last reminder to complete this thread:
User-related information like personal or sensitive data should ๐ป๐ฒ๐๐ฒ๐ฟ be logged!
Make sure to filter these out as it might get you in big trouble, not only with regulatory authorities.
{ 17 | 17 }
User-related information like personal or sensitive data should ๐ป๐ฒ๐๐ฒ๐ฟ be logged!
Make sure to filter these out as it might get you in big trouble, not only with regulatory authorities.
{ 17 | 17 }
Thank you for reading!
You can find the complete article and more serverless-related tutorials, news, and insights at @thedashbird blog โ๏ธ
dashbird.io/blog/serverlesโฆ
You can find the complete article and more serverless-related tutorials, news, and insights at @thedashbird blog โ๏ธ
dashbird.io/blog/serverlesโฆ
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
ใ
