SEC 3: How do you implement application Security in your workload?
Review and automate security practices at the application code level, and enforce security code review as part of development workflow. These best practices protect against emerging security threats and reduce the attack surface from malicious code (including third-party dependencies).
Store secrets that are used in your code securely: Store your secrets such as database passwords or API keys in a Secrets Manager that allows for rotation, secure and audited access.
Implement runtime protection to help prevent against malicious code execution: Runtime protection enables you to disable features like spawning child processes, network access or local filesystem access in your Lambda functions.
Automatically review workload’s code dependencies/libraries: Regularly review of application and code dependencies is good industry security practice and helps you detect and prevent non-certified application code.
Review security awareness documents frequently
- Regularly review news feeds from multiple sources that are relevant to the technologies
used in your workload. Subscribe to notification services to be informed of critical threats in near-real
Common Vulnerabilities and Exposures (CVE)
Amazon Partner: Serverless Application Security Top 10
AWS Security Bulletins
CISA Security Alerts
NIST Security Alerts
Store secrets that are used in your code securely
- Using secrets managers to manage application secrets such as database passwords or
API keys allows you to update your secrets independently of code.
Using AWS Secrets Manager with Lambda
Auditing Secrets with AWS Secrets Manager
Using Hashicorp Vault with AWS Lambda & Amazon API Gateway
Auditing with Hashicorp Vault
- By creating policies that enable minimal access to secrets, you prevent credentials from being accidentally used or being compromised.
- Secrets that have policies that are too permissive could be misused by other environments
or developers leading to accidental data loss or worse.
Authentication and Access Controls for AWS Secrets Manager
Implement runtime protection to help prevent against malicious code execution
- When required, lock out features of the function runtime to prevent unauthorized actions that could arise from unverified code dependencies.
- When applicable, AWS Lambda Custom Runtimes allows you to bring your own security tools that can intercept before
and after each AWS Lambda function runs. This enables you to centralize security mechanisms that are not required
to be deployed within application code at the expense of managing and maintaining
a function runtime.
Amazon Partner: PureSec’s FunctionShield
Automatically review workload’s code dependencies/libraries
- Combine automated with manual security code review process to examine application code and its dependencies to ensure they operate as intended.
- Automated tools help identify overly complex application code, and common security vulnerability exposures already cataloged.
- Manual security code reviews in addition to automated tools help ensure that application code works as intended end-to-end, including contextual business information and integrations that might not captured in automated tools.
- Before adding any code dependencies to your workload, you should take time to review, and certify each dependency to ensure that the code you’re adding to your workload is secure.
- Use third-party services to automatically review your workload’s dependencies on every commit, and periodically to ensure that your workload contains no known security vulnerabilities.
Snyk enables you to have automated security monitoring for dependencies.
OWASP Dependency Check
OWASP Security Code Review Guide 2.0
Validate inbound events
- Enable Amazon API Gateway request validation to add another layer of security by ensuring the HTTP request matches the desired format and is rejected if it doesn’t match. Any HTTP request that doesn’t pass validation is rejected.
- Implicitly trusting data from clients could lead to malformed data being processed.
- Use data type validators or web application frameworks to ensure both semantic and
data correctness, including but not limited to regular expressions, value range, data
structure, data normalization, etc.
Input Validation for Serverless
Enable Request Validation in Amazon API Gateway
Creating Models and Mapping Templates in Amazon API Gateway