Here are some useful open source serverless security tools to help you secure your apps
The growing popularity of serverless architecture has led to its massive adoption. My organization has jumped on the serverless bandwagon and it lives up to expectations. The advantages have been tremendous—we have more time to focus on the development, marketing and deployment of the software now that we need not spend much time on infrastructure maintenance.
But with that, I’ve always been somewhat concerned about security. As soon as we made the transition to serverless, I began researching ways to ensure maximum security. The numbers were unbelievable when it came to cyberthreats, from DDoS attacks and data injections to business logic manipulations. Just refer to the OWASP list of top 10 threats and you’ll know how much ground there is to cover.
That is the reason why we turned to numerous tools and resources in the market—especially open source—to help in our security. They can save a lot of time on manual maintenance of the system.
Threats that can be detected much earlier during the production phase can be fixed to prevent future complications that may cost the business money. Automation of security using said tools has definitely helped us further speed serverless security and maintenance in an agile environment where quality apps need to be deployed and upgraded in much shorter deadlines.
Serverless Security Tools
Over the years I’ve tried and experimented with a lot of serverless security tools on the market, both open source and commercial, and I definitely have some favorites.
Here are five of the best open source serverless security tools on the market you can start with:
Snyk is a great open source tool to maintain the security of your serverless projects. You can automate the entire security and maintenance process through Snyk, integrating it right within your CI/CD systems. You simply need to set up a ‘Snyk Test’ within your CI/CD system.
What Snyk does best is to detect vulnerabilities in dependencies so that you can detect and deal with it as soon as possible to avoid future issues with the application. It monitors your apps continuously and presents security threats by regular PR checks. With Snyk, you have the complete freedom to decide the test frequency of your app. What I find to be one of the most convenient features of the tool is the ability to configure notifications via email or Slack. I need not check in manually on the tool time and again for risks and can get notified right on time.
Snyk is compatible with multiple third-party cloud services. The company also recently announced integration with AWS and Azure.
One of the other efficient open source serverless tools is Docker-Lambda. When it comes to iteration, factors such as how efficient and rapid it is depends immensely on how comprehensive and robust the local framework is. With Docker-Lambda, this rapid iteration is achieved thanks to the Docker containers that seamlessly emulate the production aspects of Amazon Web Services Lambda functions.
This local execution ecosystem, which is sandboxed, replicates the configurations and functionalities of the Lambda function. This means it includes:
- APIs and libraries
- Permissions and usernames
- Lambda function’s calling contexts
The containers of this tool provide the environment required to understand how your code would behave before release. This, in turn, reflects on the efficient maintenance and reliability of your serverless application.
In my experience, I realized that Docker-Lambda is ideal for deployment under the following circumstances:
- When you require swift local reproducibility.
- When you don’t intend to trigger a live Lambda to simply test your Lambda package.
- When there is no need to spin up an instance of Amazon Linux EC2.
Protego is a web-based application that runs security throughout the life cycle of an application from development, deployment to runtime.
Protego supports AWS, Google Cloud Platform and Azure. It also supports functions built using common programming language and frameworks including Node.js, Python and Java runtimes. Protego also uses the ‘least privilege’ model by providing only the necessary permissions to the relevant functions of your application. It also lets you set up custom security policies against which your applications can be tested.
My favorite feature of Protego is its ability to monitor all aspects of your application and generate was whitelist of ‘good behavior’ in terms of system access, triggers, external communication, etc. You can predict threats and glitches pre-deployment and fix it quickly. Protego claims to constantly update its ‘vulnerabilities lists’ based on updated CVE resources and algorithms.
Protego also supports native integration with other reporting tools, making it way more convenient.
If you’re developing a distributed, event-based app, I would recommend Lumigo CLI as it features a comprehensive set of tools designed to smoothen the development and management processes of such applications.
Building on top of some of the tools offered in AWS SAM and the serverless framework, Lumigo CLI offers an expanded array of services you can integrate your deployment process with. Two of the major advantages I noticed when deploying Lumigo CLI is that you can seamlessly integrate it into your build pipeline and it puts you in a solid position to define and maintain serverless architecture.
Some of the other additional benefits it offers include:
- A console-centric UI that allows you to list lambda functions.
- Features to explore SNS topics to simplify troubleshooting.
- A simple way to track events in a DynamoDB or Kinesis stream and more.
AWS Serverless Developer Tools
Though not specifically a tool, AWS Serverless Developer Tools is a compilation of some of the most useful resources on serverless development curated by AWS. With this page, you could find almost anything that could help you with the development and deployment process of serverless applications.
Some of the features include a comprehensive compilation of serverless applications development frameworks; continuous deployment/integration tools (such as AWS Codestar and AWS CodePipeline); tools for logging, monitoring and debugging purposes such as AWS X-Ray and Amazon CloudWatch; and authoring and development tools such as AWS Sam Local and AWS Cloud9.
There are many tools for you to choose from in the market that enable you to mitigate known and hidden risks efficiently.
In conclusion, all I would suggest is to analyze what exact security measures your project requires, the scalability of the same and pick the best option from said tools to ensure maximum security of your applications.
— Hardik Shah