SEC 3: How do you implement application Security in your workload?

Review and automate security practices at the application code level, and enforce security code review as part of development workflow. These best practices protect against emerging security threats and reduce the attack surface from malicious code (including third-party dependencies).

Resources

AWS Security Blog
OWASP Top 10 Serverless Interpretation

Best Practices:

• Review security awareness documents frequently: Stay up to date with both AWS and industry security best practices to understand and evolve protection of the workload.

• Store secrets that are used in your code securely: Store your secrets such as database passwords or API keys in a Secrets Manager that allows for rotation, secure and audited access.

• Automatically review workload’s code dependencies/libraries: Regularly review of application and code dependencies is good industry security practice and helps you detect and prevent non-certified application code.

• Validate inbound events: Sanitize inbound events and validate them against a predefined schema. Test your inputs by using fuzzing techniques.

• Implement runtime protection to help prevent against malicious code execution: Runtime protection enables you to disable features like spawning child processes, network access or local filesystem access in your Lambda functions.

Improvement Plan

Review security awareness documents frequently

Review and subscribe to CVE and security bulletins.

• Regularly review news feeds from multiple sources that are relevant to the technologies used in your workload. Subscribe to notification services to be informed of critical threats in near-real time.
  Common Vulnerabilities and Exposures (CVE)
  Amazon Partner: Serverless Application Security Top 10
  AWS Security Bulletins
  CISA Security Alerts
  NIST Security Alerts

Store secrets that are used in your code securely

Audit secrets access through a Secrets Manager.

• Using secrets managers to manage application secrets such as database passwords or API keys allows you to update your secrets independently of code.
  Using AWS Secrets Manager with Lambda
  Auditing Secrets with AWS Secrets Manager
  Using Hashicorp Vault with AWS Lambda & Amazon API Gateway
  Auditing with Hashicorp Vault

Enforce least privilege access to secrets.

• By creating policies that enable minimal access to secrets, you prevent credentials from being accidentally used or being compromised.
• Secrets that have policies that are too permissive could be misused by other environments or developers leading to accidental data loss or worse.
  Authentication and Access Controls for AWS Secrets Manager

Rotate secrets frequently.

• Rotating your workload's secrets frequently is important, it prevents your secrets from being misused since they will become invalid after each rotation.
  Rotating your AWS Secrets Manager secrets

Automatically review workload’s code dependencies/libraries

Implement security mechanisms to verify application code and its dependencies.

• Combine automated with manual security code review process to examine application code and its dependencies to ensure they operate as intended.
• Automated tools help identify overly complex application code, and common security vulnerability exposures already cataloged.
• Manual security code reviews in addition to automated tools help ensure that application code works as intended end-to-end, including contextual business information and integrations that might not captured in automated tools.
• Before adding any code dependencies to your workload, you should take time to review, and certify each dependency to ensure that the code you’re adding to your workload is secure.
• Use third-party services to automatically review your workload’s dependencies on every commit, and periodically to ensure that your workload contains no known security vulnerabilities.
  Snyk enables you to have automated security monitoring for dependencies.
  OWASP Dependency Check
  OWASP Security Code Review Guide 2.0

Validate inbound events

Validate incoming HTTP requests against a schema

• Enable Amazon API Gateway request validation to add another layer of security by ensuring the HTTP request matches the desired format and is rejected if it doesn’t match. Any HTTP request that doesn’t pass validation is rejected.
• Implicitly trusting data from clients could lead to malformed data being processed.
• Use data type validators or web application frameworks to ensure both semantic and data correctness, including but not limited to regular expressions, value range, data structure, data normalization, etc.
  Input Validation for Serverless
  Enable Request Validation in Amazon API Gateway
  Creating Models and Mapping Templates in Amazon API Gateway

Implement runtime protection to help prevent against malicious code execution

Lock out AWS Lambda Runtime functions when required.

• When required, lock out features of the function runtime to prevent unauthorized actions that could arise from unverified code dependencies.
• When applicable, AWS Lambda Custom Runtimes allows you to bring your own security tools that can intercept before and after each AWS Lambda function runs. This enables you to centralize security mechanisms that are not required to be deployed within application code at the expense of managing and maintaining a function runtime.
  Amazon Partner: PureSec’s FunctionShield