Serverless Security White Paper - Cloud Native Security Best Practices

[achetal01]

Description: Develop a White Paper specifically focussed on Serverless Security Best Practices for Cloud Native technologies. The paper will enumerate security best practices & Security Controls to be implemented in build and runtime for Serverless Microservices.

Impact: It will help enterprises secure their serverless deployments, specifically app dev teams and security teams.

Scope: In development and level of effort is to be determined.

• A Table of contents to be finalized.
• Discussion on definition and elaborating that in the paper
• Security best practices described ( Focus has to be on serverless Not just application security)
• Difference between Persistent and non persistent functions.
• Contributions from wider team to finish the various sections identified in the TOC.

Link to the proposed Table of Contents is below: https://docs.google.com/document/d/1hM_hsVHPx4qEQ95rfItFrDT4rQB_zLwy7VFOVz4azxw/edit

Slack Channel : #serverless-security

Note: Focus of this initiative is purely Security for Serverless Technologies. This new whitepaper will reference the definitions from the Serverless Overview whitepaper (published by serverless working group).

Presentation by Doug Davis for Serverless to the Tag Security team can be found: https://www.youtube.com/watch?v=NT636jyDMck&t=550s

TO DO

• [ ] STAG lead sponsor - @achetal01
• [X ] Project leader(s)
• [X] Presentation from Serverless WG to SIG-Security
• [ ] TBD

[TheFoxAtWork]

need call to action - draft was sent to chairs/tls, @TheFoxAtWork provided feedback

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[ultrasaurus]

Regarding the existing serverless whitepaper, I don't recall that covered security, so I thought this would reference the definitions in that earlier whitepaper and cover different topics. (As written the description doesn't make that clear.)

[ultrasaurus]

Thx @achetal01 for updating description. I think it better clarifies the scope and relationship to already existing (Serverless Overview) whitepaper -- I know they spent a long time hashing out definitions and articulating what-is-serverless, so good to use that info as a starting point and reference those definitions wherever that context is helpful.

[pbaderia01]

Hi @ultrasaurus @achetal01 Would like to help but might need a lot of guidance! Also, do we have a due date for this?

[magnologan]

+1

[hashishrajan]

+1 - I would be keen to help with this too @achetal01 !

[JonZeolla]

I'm interested in helping with this

[ragashreeshekar]

+1 I can facilitate if the position is still available

[andrewkrug]

Hey folx. Happy to help author on this paper.

[autodidaddict]

This looks like something I'd be interested in helping out with as well. Let me know how I can help.

[evankanderson]

Rereading the Serverless Whitepaper referenced above, it seems to have missed the rise of build and edge serverless platforms like GitHub Actions (build), Netlify (build and edge handlers), and CloudFlare Workers (edge).

I'd also argue that platforms like BigQuery and Snowflake are serverless storage services (pay based on consumption, don't manage "units" of storage, scales to 0 with 0 stored), but almost certainly don't belong in the same best practices doc.

I guess I'm interested in the topic?

[achetal01]

Hey Folks, Great to see that you all want to contribute and help with this Initiative. Please Join the Slack Channel : #serverless-security. If you have not already.

[jlk]

happy to help as well!

[nadgowdas]

Few thoughts on this:

1. Security for serverless was perceived differently than typical micro-service application, primarily because their runtime is limited (typically few seconds to single digit minutes). But, the idempotent nature of functions exposes them for similar attack vectors.

2. Its important to consider application of DevSecOps to functions. The CICD pipeline for functions would be different than typical micro-service, but the assurance of supply chain security is still necessary

[magnologan]

A member of my team wrote a paper last year about some topics related to Security Considerations in Serverless Cloud Architectures. I might be relevant for this group and can be used as a reference too: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/shedding-light-on-security-considerations-in-serverless-cloud-architectures

[ultrasaurus]

Hi @evankanderson ! You are absolutely correct that the Serverless Whitepaper is missing some newer tech. I can't find a date on it, but the PDF was commited on Aug 27, 2018 and timeline that it includes only covers as far as 2017...

Nonetheless, I think the key question is which, if any, of the new technologies change the security profile of serverless. Perhaps the "edge" services offer new features that include additional risks, or maybe are worth mentioning even if we don't think so (by way of confirmation). I'm not sure the other services you mention offer anything substantially different at the level we could cover in a whitepaper. However, I haven't used any of these specific offerings, so am intrigued and definitely excited that we have folks with diverse set of experiences who are willing to contribute to this effort!

[evankanderson]

As a non-functions serverless vulnerability, the Codecov bash uploader vulnerability may provide interesting lessons in terms of supply chain security and secrets management.

The ability to run third-party build functionality as part of a serverless CI/CD platform like GitHub Actions is an interesting attack surface, but may introduce too much breadth for a single white paper.

[aks-alokraj]

I'd like to contribute to this whitepaper.

[bradmccoydev]

I would like to contribute to this!

[nadgowdas]

I would like to contribute to this !

[fkautz]

If any of these topics are in scope, please include me:

• SPIFFE integration
• Zero Trust
• Supply Chain Defense

[damodar-anthem]

I would like to learn and contribute to this!

[ragashreeshekar]

Hello folks! Thanks for your support @pbaderia01 @magnologan @JonZeolla @autodidaddict @jlk @nadgowdas @evankanderson @ak-secops @bradmccoydev @fkautz @damodar-anthem.

@hashishrajan @andrewkrug and I will be co-leading this paper. We will be reaching out to you shortly on the next steps in this regard. We will be collaborating on the CNCF Slack #tag-security-serverless, please join the same.

[ragashreeshekar]

Hello folks! Thanks for your support @pbaderia01 @magnologan @JonZeolla @autodidaddict @jlk @nadgowdas @evankanderson @ak-secops @bradmccoydev @fkautz @damodar-anthem.

@hashishrajan @andrewkrug and I will be co-leading this paper. We will be reaching out to you shortly on the next steps in this regard. We will be collaborating on the CNCF Slack #tag-security-serverless, please join the same.

Gentle reminder. Please join the CNCF Slack #tag-security-serverless if you haven't already, and join the conversation! Reach out to @hashishrajan @andrewkrug or me to proceed further. We will reach out with possible slots for a syncup and take this topic further.

[ragashreeshekar]

Greetings!

Thank you for your interest in contributing to the CNCF TAG-Security Serverless Security Whitepaper. We're scheduling sometime to connect with you folks and discuss the outline of the paper, the expected timelines, map contributors to the content sections and kickoff the whitepaper development. We look forward to working with you! Cheers.

Meeting details. CNCF TAG-Security Serverless Security Whitepaper Connect & Kickoff Sunday, June 27 · 9:00 – 10:00am Sunday June 27 - 8:00 AM - 9:00AM - IST Sunday June 27 - 12:30PM - 1:30PM - AEDT Saturday June 26 - 7:30PM - 8:30PM - PDT Frequency: Every Sunday, IST aka Saturday PDT Google Meet joining info Video call link: https://meet.google.com/wga-jqwq-qfs

We connect and communicate over the CNCF Slack #tag-security-serverless, Please join and feel free to reach out to Andrew Krug, Ashish Rajan or Ragashree (me) for any queries or feedback.

Here is some material to get you familiar with the prior work: Serverless overview - https://github.com/cncf/wg-serverless/tree/master/whitepapers/serverless-overview Serverless security whitepaper research - https://docs.google.com/document/d/1hM_hsVHPx4qEQ95rfItFrDT4rQB_zLwy7VFOVz4azxw/edit?ts=60c85d39#

[bradmccoydev]

Hey @ragashreeshekar can you please specify the timezone for the meeting on Sunday above, Thanks Brad

[ragashreeshekar]

Thanks @bradmccoydev for this, very helpful, the comment is now updated.

[redbmk]

Hi, I'm interested in learning more and seeing where I can contribute. I'm hoping to join the call this weekend and just hopped in the slack channel

[jlk]

I won't be able to attend that meeting.

From my experience working with India, us westerners tend to work less on weekends but save them for time with $notwork. I'll sometimes do Monday morning IST meetings, but Friday/Saturday nights US are personally no-go.

Will try to follow meeting notes and slack convos and help out where I can.