In the long run, bouncing back from a DDoS attack is more expensive than securing a company’s serverless applications –– especially for a company like Viant. The LA-based adtech organization helps marketers plan and measure digital advertising campaigns and, in doing so, works with large amounts of first-party and third-party data.
For that reason, VP of Technology Operations Lee Sautia said that his team uses a least privilege model to minimize security threats to serverless applications.
But protecting technical architecture isn’t a simple, one-and-done task.
“Learning was trial by fire initially,” Sautia said. “We were writing serverless applications as we were trying to figure out how to secure them.”
Over time, Viant engineers created a baseline for all applications, with help from secrets management tools and an appropriate level of logging. Sautia recommends the following recourses for other engineering departments looking to do the same.
What are a few of the internal best practices your team follows to secure your serverless deployments?
Using a least privilege model for serverless applications is one of the most important practices. Having the system use only the privileges necessary to complete a task will greatly reduce the attack surface of a serverless application –– or any application, for that matter. An appropriate level of logging is also a must. Developers should ensure they’re not logging information that could potentially compromise resources. Setting concurrency and timeout limits can help limit the effectiveness of a DDoS attack.
Lastly, do not configure environment variables with a secret as the value. Instead, use a secrets manager such as Vault, AWS Secrets Manager or GCP Secrets Manager and access secrets via API.
What training or knowledge sharing had to take place to get your developers familiar with both the risks and the practices that can minimize them?
Learning was trial by fire initially. We were writing serverless applications as we were trying to figure out how to secure them. Fortunately, we were able to adapt and adopt as our site reliability engineering team provided security requirements. They created security-conscious templating for identity and asset management and serverless resources. That learning curve allowed our SREs to create a security baseline for all serverless applications moving forward.
Immerse yourself in serverless technology and understand where the pain points are.’’
What advice do you have for other engineers who are just making the transition to a serverless architecture and are concerned about security risks?
Immerse yourself in serverless technology and understand where the pain points are. There are numerous white papers and blog posts to consume. Most have a common theme around security. Talk to your cloud provider’s technical account manager, if you have one. They can help point you in a direction that makes sense and provide resources to get you started as well.
