SEC 3: How do you implement application Security in your workload?

Review and automate security practices at the application code level, and enforce security code review as part of development workflow. These best practices protect against emerging security threats and reduce the attack surface from malicious code (including third-party dependencies).

Resources

AWS Security Blog
OWASP Top 10 Serverless Interpretation

Best Practices:

Improvement Plan

Review security awareness documents frequently

  • Review and subscribe to CVE and security bulletins.
  • Store secrets that are used in your code securely

  • Audit secrets access through a Secrets Manager.
  • Enforce least privilege access to secrets.
  • Rotate secrets frequently.
  • Implement runtime protection to help prevent against malicious code execution

  • Lock out AWS Lambda Runtime functions when required.
  • Automatically review workload’s code dependencies/libraries

  • Implement security mechanisms to verify application code and its dependencies.
  • Validate inbound events

  • Validate incoming HTTP requests against a schema