There are some wonderful free or open-source tools you can use to improve the security of your serverless projects. Let's explore some of them in this post.
1. Linters
Linters help improve your code by finding common coding flaws. You would typically run them when you create a pull request, create a build, or in your CI/CD.
- ESLint (Node): https://eslint.org
- Pylint (Python): https://www.pylint.org
- golanglint (golang): https://github.com/golang/lint
2. Dependency checkers
Your project might use dependencies, libraries, or packages. Some of these packages might be out-of-date, deprecated, or have known vulnerabilities. A dependency checker can help you find packages that need updating and create pull requests to update them automatically.
- npm audit (Node): https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
- Snyk (Node, .Net, Java, Python, and more): https://snyk.io
- Dependabot (Node, Python, Java, .Net, and more): https://dependabot.com
- GitHub Dependabot (Node, Python, Java, .Net, and more): https://help.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically
3. AWS IAM Roles
If you are using Amazon Web Services, your project has IAM roles for your serverless functions. The Serverless Framework automatically creates one IAM role for all the functions in your configuration file. Each function should have its own IAM role to enable the Principle of Least Privilege.
- serverless-iam-roles-per-function Serverless plugin: https://github.com/functionalone/serverless-iam-roles-per-function
- serverless-plugin-custom-roles Serverless plugin: https://github.com/AntonBazhal/serverless-plugin-custom-roles
- Collection of AWS IAM policies for the Serverless Framework: https://github.com/miguel-a-calles-mba/serverless-policies
4. Error Monitoring and Alerting
Your functions may throw an error, but you may not know about it unless you manually monitor the logs or you set up an alerting system.
- Dashbird: https://dashbird.io
- Sentry: https://docs.sentry.io/platforms/node/guides/aws-lambda/ and https://github.com/arabold/serverless-sentry-plugin
5. Termination Protection
When you deploy a new AWS CloudFormation stack to production, you might want to enable termination protection to avoid accidentally deleting your stack.
- serverless-stack-termination-protection Serverless plugin: https://github.com/miguel-a-calles-mba/serverless-stack-termination-protection
Conclusion
You can improve the security of your serverless project by taking advantage of free or open source solutions that are already out there.
A Note from the Author
Join my mailing list to receive updates about my writing.
Visit miguelacallesmba.com/subscribe and sign up.
Stay secure,
Miguel
About the Author
Miguel is a Principal Security Engineer and is the author of the " Serverless Security " book. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large military systems in various engineering roles.
I originally published this article at Secjuice.com
Top comments (2)
Miguel, thanks for calling Sentry in your article. We have updated our lambda integrations to support automatic error reporting including function details and stack traces. Will love your feedback. docs.sentry.io/platforms/node/guid...
you might want to update the link up there as well.
Thanks. I updated the link.