Simform, profile picture
Uploaded bySimform
218 views

Serverless Security Checklist

The document outlines a comprehensive serverless security checklist focusing on function management, cyber threat assessment, identity and access management, and encryption practices. Key recommendations include robust governance, continuous vulnerability management, strict authentication protocols, and independent security testing for each function. It emphasizes the importance of encryption for data in transit and at rest, as well as proper handling of encryption keys.

Embed presentation

Download to read offline
Serverless Security Checklist Miscellaneous Encryption Function Management Cyber Threat Identity & Access Management
1. Function Management 1 Review organisational strategy, roles, responsibilities, insurance and governance tasks. Address issues instantly based on the roles and responsibilities of security governance. Perform an in-depth function data flow and privacy assessment by reviewing the data life cycle. Is it vulnerable anywhere? Review shared environments for data segregation, logical separation and security in a multi-latency environment. Monitor which functions are accessing which data. Monitor both individual function and full flows. Standardize input processing to include sanitization. Make API Gateway models as strict as possible. Limit functionality to what you actually need. Minimize permissions upfront. 2. Cyber Threat What are your patch and vulnerability management program practices? What is your vulnerability remediation process? Vulnerability management: patch vulnerabilities in virtual machines templates and offline virtual machines Discuss how serverless provider handles secure intra-host communications among multiple serverless components? System security: Review where there may be vulnerable end-user systems interacting with cloud based applications.
2 Review demonstrations and frequency of application and penetration scans as part of the certification controls, as well as continuous monitoring and scans when changes occur or new functions are added for the serverless applications. Remove unnecessary dependencies, unused features, components, files and documentation. On client and server- side both, continuously monitor version of frameworks, libraries and their dependencies. Components should be obtained from official sources with signed packages to reduce chances of malicious components. 3. Identity & Access Management Review information regarding authentication, restriction of access, or implementation of segregation of duties (SOD) for the development team. Review the types of access available: single-sign-on (SSO), authentication using the user identity management software, or two-factor authentication. Minimize functions that can access each data store Use separate DB credentials per functions and control what these credentials should do. 4. Encryption Understand the environment for the APIs, including the connection points to and from the data with encryption utilized for data in transit, data at rest, and the type of encryption.
3 Encrypt all sensitive persistent data and sensitive off-box state data. Who controls encryption keys? How are the encryption keys monitored? What is their storage and backup locations? Review encryption certifications and determine what they apply to, and test them. SSL should provide a minimum of 128-bit, 256-bit optimum, encryption based on the 2048-bit global root. Determine the type of encryption. Is there any encryption utilized for data at rest? For data in storage, how are encryption keys stored? For data backups that are data encrypted in transit or at rest? How are keys managed? Store password hashes using Bcrypt (no salt necessary - Bcrypt does it for you). 5. Miscellaneous Secure each function independently. Test every function for the security flaws. Don’t rely on limiting access to a function. Use shared input/output processing libraries. Use separate networks/accounts for group of functions. Destroy the session identifier after logout. Destroy the session identifier after logout. No open redirects after successful login or in any other intermediate redirects. Check for randomness of reset password token in the emailed link or SMS. API calls intended to be done server to server should not be done from the app.
4 Keep your data separate from commands and queries. How long are function logs kept? Authenticate every endpoint against every request. If authentication is not an option, use secure API keys and SAML assertions.

More Related Content

PDF
Cybersecurity - Mobile Application Security
byEryk Budi Pratama
 
PDF
Prevoty Integri Datasheet
byPrevoty
 
PPTX
Ethical hacking
byAishwary Sinha
 
PPTX
8 questions to ask when evaluating a Cloud Access Security Broker
byBitglass
 
PPTX
A5: Security Misconfiguration
byTariq Islam
 
PDF
Introduction to Security Testing
byvodQA
 
PPTX
Web Application Security 101
byJannis Kirschner
 
PPTX
Hallwaze security snapshot
byhallwaze_1
 
Cybersecurity - Mobile Application Security
byEryk Budi Pratama
 
Prevoty Integri Datasheet
byPrevoty
 
Ethical hacking
byAishwary Sinha
 
8 questions to ask when evaluating a Cloud Access Security Broker
byBitglass
 
A5: Security Misconfiguration
byTariq Islam
 
Introduction to Security Testing
byvodQA
 
Web Application Security 101
byJannis Kirschner
 
Hallwaze security snapshot
byhallwaze_1
 

What's hot

DOCX
Cloud Access Security Broker (CASB)
byrkulandaivel
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
PPT
Anypoint enterprise security
byD.Rajesh Kumar
 
PPT
Mule anypoint enterprise security
byD.Rajesh Kumar
 
PPTX
Security Testing
byQualitest
 
PPS
Security testing
byTabăra de Testare
 
PPTX
Security testing fundamentals
byCygnet Infotech
 
PPT
Mule anypointenterprisesecurity
byhimajareddys
 
PPTX
Secure coding guidelines
bySathyanarayana Panduranga
 
PPTX
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
byForsyte I.T. Solutions
 
PPTX
Building a strong security strategy
bySingtel
 
PDF
Owasp Mobile Top 10 – 2014
byn|u - The Open Security Community
 
PPTX
Owasp v8 analysis
byObaidullahIzam
 
PPTX
Cloud computingsec p3
byCesar Schmitzhaus
 
PPTX
Cloud Security Demo
byCheah Eng Soon
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PPT
12 steps to_cloud_security
byWisecube AI
 
PDF
SharePoint Conference - Secure the data, not the device
byOlav Tvedt
 
PPTX
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
byNikola Milosevic
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
Cloud Access Security Broker (CASB)
byrkulandaivel
 
Secure coding practices
byMohammed Danish Amber
 
Anypoint enterprise security
byD.Rajesh Kumar
 
Mule anypoint enterprise security
byD.Rajesh Kumar
 
Security Testing
byQualitest
 
Security testing
byTabăra de Testare
 
Security testing fundamentals
byCygnet Infotech
 
Mule anypointenterprisesecurity
byhimajareddys
 
Secure coding guidelines
bySathyanarayana Panduranga
 
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
byForsyte I.T. Solutions
 
Building a strong security strategy
bySingtel
 
Owasp Mobile Top 10 – 2014
byn|u - The Open Security Community
 
Owasp v8 analysis
byObaidullahIzam
 
Cloud computingsec p3
byCesar Schmitzhaus
 
Cloud Security Demo
byCheah Eng Soon
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
12 steps to_cloud_security
byWisecube AI
 
SharePoint Conference - Secure the data, not the device
byOlav Tvedt
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
byNikola Milosevic
 
OWASP Top Ten in Practice
bySecurity Innovation
 

Similar to Serverless Security Checklist

PDF
Data Protection In eCommerce Store Development_ Essential Technical Best Prac...
byCartCoders
 
PDF
Web application security (eng)
byAnatoliy Okhotnikov
 
PDF
Designing Secure APIs
bySteven Chen
 
PPT
Web application development_dos_and_donts
byhuynhvanphuc
 
PPTX
7 Step Checklist for Web Application Security.pptx
byProbely
 
PDF
ByteCode pentest report example
byIhor Uzhvenko
 
PPTX
Security guidelines
bykarthz
 
DOCX
21CSB02T WEB APPLICATION AND SECURITY NOTES
byRajkumars275092
 
PDF
Building a Secure Software Application: Your Ultimate Guide
byJamesParker406701
 
PPTX
Web_Security_Considerations nice concept .pptx
byyvenkateswaracse
 
PPTX
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
ODP
OWASP Secure Coding
bybilcorry
 
PDF
Top 10 Vulnerabilities Exploited by Hackers.pdf
bymanisha06650
 
PPT
Secure code practices
byHina Rawal
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
ODP
Java zone ASVS 2015
byJoachim Van der Auwera
 
PDF
Best Practices for Secure Web Application Development by Site Invention.pdf
bysiteseo
 
PDF
Best Security Practices for Web Application Development.pdf
byDigital Auxilio Technologies
 
PDF
Prevent Security Breaches Before They Happen - ScaleFocus Security Conference...
byScaleFocus
 
Data Protection In eCommerce Store Development_ Essential Technical Best Prac...
byCartCoders
 
Web application security (eng)
byAnatoliy Okhotnikov
 
Designing Secure APIs
bySteven Chen
 
Web application development_dos_and_donts
byhuynhvanphuc
 
7 Step Checklist for Web Application Security.pptx
byProbely
 
ByteCode pentest report example
byIhor Uzhvenko
 
Security guidelines
bykarthz
 
21CSB02T WEB APPLICATION AND SECURITY NOTES
byRajkumars275092
 
Building a Secure Software Application: Your Ultimate Guide
byJamesParker406701
 
Web_Security_Considerations nice concept .pptx
byyvenkateswaracse
 
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
Application Security - Your Success Depends on it
byWSO2
 
OWASP Secure Coding
bybilcorry
 
Top 10 Vulnerabilities Exploited by Hackers.pdf
bymanisha06650
 
Secure code practices
byHina Rawal
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
Java zone ASVS 2015
byJoachim Van der Auwera
 
Best Practices for Secure Web Application Development by Site Invention.pdf
bysiteseo
 
Best Security Practices for Web Application Development.pdf
byDigital Auxilio Technologies
 
Prevent Security Breaches Before They Happen - ScaleFocus Security Conference...
byScaleFocus
 

More from Simform

PDF
SaaS Architecture.pdf
bySimform
 
PDF
VMs vs. Containers.pdf
bySimform
 
PDF
Benefits of Containerization.pdf
bySimform
 
PDF
Serverless Frameworks.pdf
bySimform
 
PDF
Microservice Design Patterns.pdf
bySimform
 
PDF
Microservices Examples.pdf
bySimform
 
PDF
Container Orchestration.pdf
bySimform
 
PDF
AWS Fargate vs. Lambda.pdf
bySimform
 
PDF
SaaS Development.pdf
bySimform
 
PDF
Containerization Best Practices.pdf
bySimform
 
PDF
Web Application Development Cost.pdf
bySimform
 
PDF
Containerization Use Cases.pdf
bySimform
 
PDF
Database DevOps.pdf
bySimform
 
PDF
Leading DevOps Tools for 2022.pdf
bySimform
 
PDF
Agile vs. DevOps.pdf
bySimform
 
PDF
DevOps Automation.pdf
bySimform
 
PDF
How to Build Real-time Application with Node.js.pdf
bySimform
 
PDF
Microservice Best Practices The 8020 Way.pdf
bySimform
 
PDF
Docker Use Cases.pdf
bySimform
 
PDF
Microservices Design Principles.pdf
bySimform
 
SaaS Architecture.pdf
bySimform
 
VMs vs. Containers.pdf
bySimform
 
Benefits of Containerization.pdf
bySimform
 
Serverless Frameworks.pdf
bySimform
 
Microservice Design Patterns.pdf
bySimform
 
Microservices Examples.pdf
bySimform
 
Container Orchestration.pdf
bySimform
 
AWS Fargate vs. Lambda.pdf
bySimform
 
SaaS Development.pdf
bySimform
 
Containerization Best Practices.pdf
bySimform
 
Web Application Development Cost.pdf
bySimform
 
Containerization Use Cases.pdf
bySimform
 
Database DevOps.pdf
bySimform
 
Leading DevOps Tools for 2022.pdf
bySimform
 
Agile vs. DevOps.pdf
bySimform
 
DevOps Automation.pdf
bySimform
 
How to Build Real-time Application with Node.js.pdf
bySimform
 
Microservice Best Practices The 8020 Way.pdf
bySimform
 
Docker Use Cases.pdf
bySimform
 
Microservices Design Principles.pdf
bySimform
 

Recently uploaded

PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
December Patch Tuesday
byIvanti
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
The year in review - MarvelClient in 2025
bypanagenda
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
December Patch Tuesday
byIvanti
 

Serverless Security Checklist

  • 1.
  • 2.
    1. Function Management 1 Revieworganisational strategy, roles, responsibilities, insurance and governance tasks. Address issues instantly based on the roles and responsibilities of security governance. Perform an in-depth function data flow and privacy assessment by reviewing the data life cycle. Is it vulnerable anywhere? Review shared environments for data segregation, logical separation and security in a multi-latency environment. Monitor which functions are accessing which data. Monitor both individual function and full flows. Standardize input processing to include sanitization. Make API Gateway models as strict as possible. Limit functionality to what you actually need. Minimize permissions upfront. 2. Cyber Threat What are your patch and vulnerability management program practices? What is your vulnerability remediation process? Vulnerability management: patch vulnerabilities in virtual machines templates and offline virtual machines Discuss how serverless provider handles secure intra-host communications among multiple serverless components? System security: Review where there may be vulnerable end-user systems interacting with cloud based applications.
  • 3.
    2 Review demonstrations andfrequency of application and penetration scans as part of the certification controls, as well as continuous monitoring and scans when changes occur or new functions are added for the serverless applications. Remove unnecessary dependencies, unused features, components, files and documentation. On client and server- side both, continuously monitor version of frameworks, libraries and their dependencies. Components should be obtained from official sources with signed packages to reduce chances of malicious components. 3. Identity & Access Management Review information regarding authentication, restriction of access, or implementation of segregation of duties (SOD) for the development team. Review the types of access available: single-sign-on (SSO), authentication using the user identity management software, or two-factor authentication. Minimize functions that can access each data store Use separate DB credentials per functions and control what these credentials should do. 4. Encryption Understand the environment for the APIs, including the connection points to and from the data with encryption utilized for data in transit, data at rest, and the type of encryption.
  • 4.
    3 Encrypt all sensitivepersistent data and sensitive off-box state data. Who controls encryption keys? How are the encryption keys monitored? What is their storage and backup locations? Review encryption certifications and determine what they apply to, and test them. SSL should provide a minimum of 128-bit, 256-bit optimum, encryption based on the 2048-bit global root. Determine the type of encryption. Is there any encryption utilized for data at rest? For data in storage, how are encryption keys stored? For data backups that are data encrypted in transit or at rest? How are keys managed? Store password hashes using Bcrypt (no salt necessary - Bcrypt does it for you). 5. Miscellaneous Secure each function independently. Test every function for the security flaws. Don’t rely on limiting access to a function. Use shared input/output processing libraries. Use separate networks/accounts for group of functions. Destroy the session identifier after logout. Destroy the session identifier after logout. No open redirects after successful login or in any other intermediate redirects. Check for randomness of reset password token in the emailed link or SMS. API calls intended to be done server to server should not be done from the app.
  • 5.
    4 Keep your dataseparate from commands and queries. How long are function logs kept? Authenticate every endpoint against every request. If authentication is not an option, use secure API keys and SAML assertions.