How to protect serverless and container applications with RASP Solution Engineer

With the accelerated shift to the cloud, enterprises are subsequently accelerating their development processes to maximize operational excellence. In order to efficiently handle customer and security needs, businesses are relying on container and serverless technologies for their scalability and cost-effectiveness when deploying and developing applications. 

The interest in serverless and container technologies is reflected in its growing market. MarketsandMarkets™, a syndicate research and consulting firm, expects the global application container to grow from USD 1.2 billion in 2018 to USD 4.98 billion in 2023. Serverless architecture is projected to increase from US 7.6 billion in 2020 to US 21.1 billion by 2025.  

Containers and serverless technology may already be a central part of your artillery, so you might be wondering: “what does this have to do with me?” Well, new technology inevitably comes with new security vulnerabilities. This means you must find a way to implement the appropriate defense measures to save yourself and your enterprise from post-deployment headaches like attacks, fines, and distrust from customers. 

This article focuses on certain security considerations for developers and how they can build the best defense for container-based and serverless applications through runtime application self-protection (RASP), a tool that incorporates security into an application at runtime.

What is RASP?

RASP is a security tool that runs on a server and begins functioning when an application runs. Simply put, RASP is designed to detect malicious behavior in real time and is capable of protecting applications from attacks by analyzing an application’s behavior as well as the context of that behavior.

What are the benefits of RASP?

• Real-time protection to applications: RASP can intercept all kinds of traffic, including ones that indicate malicious behaviour like SQL injection, cross-site scripting (XSS), vulnerabilities, bots, and other web applications attacks.
• High accuracy alerts: Since RASP is built directly into an application, it is innately capable of monitoring its behaviour. It has the ability to discern between attacks and legitimate requests to reduce false positives.
• Better protection against zero-day exploits: If a patch for an application is not available for an extended time, RASP offers a short-term fix. It’s also not dependant on any type of signature for an exploit, because the baseline for How RASP protects serverless applications

To show you how RASP works, we will use Trend Micro Cloud One™ – Application Security to secure a function of AWS Lambda—an event-driven, serverless computing platform. Application Security is just one of seven solutions that make up Trend Micro Cloud One™ a security services platform purpose-build for cloud builders.

Trend Micro Senior Security Researcher, Alfredo de Oliveira, created a proof of concept (PoC) that involves a Lambda function granted with high permissions to highlight the risks of implementing bad code on a serverless system.

According to his paper “Securing Weak Points in Serverless Architectures: Risk and Recommendations,” de Oliveria demonstrated how threat actors could alter the Lamda function timeout and subsequently perform attacks such as privilege escalation and data exfiltration.

For our PoC, we have configured the Lambda administrative privileges. By default, Lambda has no permissions aside from those defined by the customer, so customers should always follow the principle of least privilege when defining and execution role.

Alright, let’s get into it.

Figure 1 illustrates the attack chain involving an AWS Lambda function granted with high permissions, as described in the above paragraph. It should be noted that Application Security libraries are already preinstalled in the system.

Read More HERE