With the accelerated shift to the cloud, enterprises are subsequently accelerating their development processes to maximize operational excellence. In order to efficiently handle customer and security needs, businesses are relying on container and serverless technologies for their scalability and cost-effectiveness when deploying and developing applications.
The interest in serverless and container technologies is reflected in its growing market. MarketsandMarkets™, a syndicate research and consulting firm, expects the global application container to grow from USD 1.2 billion in 2018 to USD 4.98 billion in 2023. Serverless architecture is projected to increase from US 7.6 billion in 2020 to US 21.1 billion by 2025.
Containers and serverless technology may already be a central part of your artillery, so you might be wondering: “what does this have to do with me?” Well, new technology inevitably comes with new security vulnerabilities. This means you must find a way to implement the appropriate defense measures to save yourself and your enterprise from post-deployment headaches like attacks, fines, and distrust from customers.
This article focuses on certain security considerations for developers and how they can build the best defense for container-based and serverless applications through runtime application self-protection (RASP), a tool that incorporates security into an application at runtime.
What is RASP?
RASP is a security tool that runs on a server and begins functioning when an application runs. Simply put, RASP is designed to detect malicious behavior in real time and is capable of protecting applications from attacks by analyzing an application’s behavior as well as the context of that behavior.
What are the benefits of RASP?
- Real-time protection to applications: RASP can intercept all kinds of traffic, including ones that indicate malicious behaviour like SQL injection, cross-site scripting (XSS), vulnerabilities, bots, and other web applications attacks.
- High accuracy alerts: Since RASP is built directly into an application, it is innately capable of monitoring its behaviour. It has the ability to discern between attacks and legitimate requests to reduce false positives.
- Better protection against zero-day exploits: If a patch for an application is not available for an extended time, RASP offers a short-term fix. It’s also not dependant on any type of signature for an exploit, because the baseline for How RASP protects serverless applications
To show you how RASP works, we will use Trend Micro Cloud One™ – Application Security to secure a function of AWS Lambda—an event-driven, serverless computing platform. Application Security is just one of seven solutions that make up Trend Micro Cloud One™ a security services platform purpose-build for cloud builders.
Trend Micro Senior Security Researcher, Alfredo de Oliveira, created a proof of concept (PoC) that involves a Lambda function granted with high permissions to highlight the risks of implementing bad code on a serverless system.
According to his paper “Securing Weak Points in Serverless Architectures: Risk and Recommendations,” de Oliveria demonstrated how threat actors could alter the Lamda function timeout and subsequently perform attacks such as privilege escalation and data exfiltration.
For our PoC, we have configured the Lambda administrative privileges. By default, Lambda has no permissions aside from those defined by the customer, so customers should always follow the principle of least privilege when defining and execution role.
Alright, let’s get into it.
Figure 1 illustrates the attack chain involving an AWS Lambda function granted with high permissions, as described in the above paragraph. It should be noted that Application Security libraries are already preinstalled in the system.
As shown in Figure 2, the Application Security console blocks the command injection attack.
De Oliviera’s research paper also highlights the need to secure different cloud services involved in developing serverless applications. As shown in Figure 4, Trend Micro Cloud One™ – Conformity blocks overly permissive identity and access management (IAM) roles from being executed within the system.
How RASP can protect containers
In this section, we demonstrate how to secure a running container-based application on Azure Container Instances against SQL injection, as seen in a LinkedIn article by Chuck Losh, a Trend Micro Solutions Architect and Microsoft Azure™ Certified Expert.
First, a new deployment needs to be run and a purposely vulnerable PHP-based container of a Damm Vulnerable Web Application (DVWA) image from a private Azure Container Registry needs to be pulled. In this demo, Application Security libraries are already preinstalled in the system, as shown in Figure 5.
Once the deployment is executed through the Azure portal shown in Figure 6, we will see if everything works as intended. The end result should have the application calling to the Application Security dashboard for real-time protection.
Upon configuring the setting requirements, the container instance should already start running. This can also be verified in the Azure Portal output, as shown in Figure 7.
The test web application can now be accessed. After logging into the DVWA container-based web application, we will send an SQL injection attack, as shown in Figure 9. We can check the Application Security console later on if it can detect such malicious behavior.
As shown in Figure 10, the submitted request was blocked and detected by the Application Security console in real time.
How to automate RASP
Automation is key for DevOps teams. It enables you to satisfy security and compliance needs (which makes SecOps happy) and meet business needs without interrupting your build time.
Using Lambda function templates from CloudFormation containing the necessary RASP components that integrate into Application Security ensures that security is already a part of the application itself. This also reduces the number of manual steps you must take to secure your Lambda functions.
Shift left with RASP
To the left, to the left—RASP is a tool that enables organizations to “shift left,” which allows developers to use secure, well-understood patterns for secrets management and resilient coding practices.
As always, not everyone is so excited to embrace new changes—especially when it comes to technology. For the skeptics out there, using RASP is more than just improving security—it enables teams within an organization to bridge the gap and continue building a strong DevSecOps culture. You can also foster this culture with having development and security teams conduct proper software testing, integrated security, and operational visibility at all times.
Trend Micro Cloud One
Enterprises should be mindful that while cloud service providers (CSPs) provide guidance and security features for their services, the organization is responsible for securing what they put into the cloud. This concept is known as the shared responsibility model, and it is key to properly securing these services.
As we mentioned earlier, the execution role for Lambda only launches with permissions defined by the user—meaning customers should always follow the principle of least privilege to protect against unauthorized users.
You can save yourself the hassle of always manually checking if everything is secure as possible by using a security services platform like Trend Micro Cloud One. Trend Micro Cloud One provides a centralized visibility of your hybrid cloud environments and real-time security with the following automated, flexible, and quick to deploy services:
- Application Security is an embedded security framework that proactively detects threats and protects applications and APIs on their containers, serverless, as well as other cloud computing platforms.
- Conformity performs hundreds of automated checks against industry compliance standards and cloud security best practice rules, improving the cloud infrastructure’s security and compliance posture.
- Trend Micro Cloud One™ – Container Security detects threats, vulnerabilities, and exposed sensitive data such as API keys and passwords within container images.
- Trend Micro Cloud One™ – Workload Security can automatically protect legacy systems with virtual patching and cloud workloads from evolving threats through machine learning (ML) technology.
- Trend Micro Cloud One™ – File Storage Security protects cloud file/object storage services that are on cloud-native application architectures via malware scanning and integrating into custom workflows.
- Trend Micro Cloud One™ – Network Security defends virtual private clouds by blocking attacks and threats and detecting infiltrations.