Threat modelling for Serverless deployments Threat modelling involves decomposing an application into its constituent components.
Who is Responsible for Downtime?
If your cloud deployment becomes unavailable who is carrying the loss of service and business opportunity?
What’s in Your App? Open Source Software Risk
Your downtime is your problem no matter what the root cause.
If your npm package fails to work because of a deprecated dependency which causes your app to not run and your CI/CD pipeline is broken this is your problem not just an npm package contributor.
In 2017 a node.js dependency ‘left-pad’ was removed from npm breaking JS applications that used it as a dependency.
Major data breaches have occurred because of known vulnerabilities not because of novel exploits.
Failure to apply patches for known issues can leave you exposed.
Nodesource.com N|Solid for AWS Lambda can run in the backgound monitoring your code for issues such as memory leaks, identifying code with known vulnerabilities, performance bottlenecks and non standard behaviour.
What is your SLA guarantee?
Who decides what constitutes a breach of SLA by a cloud provider
What compensation can be claimed?
If your provider of infrastructure has frequent problems causing frequent downtime your customers would expect you to switch providers
Certifications like FIPS, ISO, PCI, HIPAA are a proxy for security practices within your providers because the certifier has audited their security.
Note that just because a cloud provider is PCI compliant and you use their services, this does not make your app PCI compliant by default. You will need to obtain your own compliance certification.
Online Payment Security
Before getting to look at the common threats and how to defend against them it is good to consider as early as possible the issue of online payments and ecommerce risks
PCI DSS Twelve Requirements
- Firewall configuration to protect cardholder data
- Do not use vendor defaults for system passwords and other security settings
- Protect stored cardholder data by encrypting it at rest
- Encrypt transmission of cardholder data across the internet
- Protect all systems against malware, update antivirus software, patch updates to be deployed
- Develop, maintain secure systems and applications
- Restrict access to cardholder data on a business need to know basis
- Identify and authenticate access to system components
- Restrict physical access to cardholder data e.g. card swipe or database access
- Track and monitor all access to network resources and cardholder data (logging each access)
- Regularly test security systems and processes CloudWatch,CloudTrail, Config
- Maintain a policy that addresses information security for all personnel e.g. ISO 27001