Serverless Security with
Automated API Security Testing

ron-perris

Ron Perris|April 8, 2021

Today’s engineering teams can use security testing tools to assess serverless applications for vulnerabilities during development.

The rise of the Serverless Application Architecture allows organizations to focus on building valuable features while offloading the work of provisioning and scaling hardware to their cloud computing providers. 

Serverless applications often use technologies like AWS Lambda for compute and Amazon API Gateway for accessing that compute functionality. As you are building these serverless applications, you can and should automatically test for security issues during development. Catching security issues early makes it much easier and cheaper to fix them.

As you add more functionality to an application, the attack surface increases. Just like with other automated tests, it is important to keep your test coverage high. Every API path and corresponding compute function could potentially expose a security related mistake. Modern security testing tools can be used to assess the application for security related bugs during development and before production traffic is sent to new features and functionality.

Add Automated Security Testing to Your Pipeline for Free

Common API Security Tests

There are a few common types of security tests you can run on your serverless applications:

  • Dynamic Application Security Testing (DAST): with DAST you are testing all or part of the running application, like a functional integration test would. The DAST scanner will send various predefined inputs to your application and look for evidence of a security vulnerability in the response.

  • Static Application Security Test (SAST): this test will look at your source code and find vulnerabilities related to insecure coding patterns and mistakes.

  • Software Composition Analysis (SCA): this type of test will look at your project manifest files and detect the use of any dependencies with known security vulnerabilities.

It’s a good idea to add a tool that implements each of these test types in your application codebase, ideally in an automated fashion that runs during development and before you release code.

Dynamic Application Security Testing

This type of testing finds bugs that attackers are most likely to exploit. The tools in this category basically send exploit payloads at a running application and measure the response to determine if the exploit was successful or not. Historically, these types of tests were run on production servers, but for obvious reasons it is better to do these exploits in development or CI/CD where they won’t do any harm to your applications. 

You can set up automated dynamic application security tests using a GitHub Action and the OWASP ZAP tool, or with a product like StackHawk.

YAML
on: [push]
jobs:
	zap_scan:
    	runs-on: ubuntu-latest
		name: Scan the webapplication
    	steps:
         - name: Checkout
           uses: actions/checkout@v2
           with:
             ref: master
      	- name: ZAP Scan
          uses: zaproxy/action-full-scan@v0.2.0
          with:
            token: ${{ secrets.GITHUB_TOKEN }}
            docker_name: 'owasp/zap2docker-stable'
            target: 'https://www.zaproxy.org/'
            rules_file_name: '.zap/rules.tsv'
            cmd_options: '-a'

Static Application Security Testing

The most lightweight and popular SAST tools are language specific linters and simple pattern matching scripts that leverage regular expressions. 

For linters, many JavaScript projects use the ESLint project and its ecosystem of plugins to automatically test for security best practices and common mistakes. Some teams write simple regular expressions and scan the code using grep during development and before release. 

There are some open source tools that take the idea of linters and pattern matching to the next level. For example, Semgrep is a fast static analysis tool that enforces coding standards and detects common security bugs.

Scanning your Lambda functions with tools like ESLint, grep, or Semgrep will allow you to detect all types of security vulnerabilities, such as: Cross-Site Scripting, SQL Injection, Server-side Request Forgery, and many other common security bugs.

You can automate these types of tests by adding a GitHub Action that runs on each pull request.

YAML
name: Semgrep
on: [pull_request]
jobs:
  semgrep:
    runs-on: ubuntu-latest
    name: Check
    steps:
      - uses: actions/checkout@v1
      - name: Semgrep
        id: semgrep
        uses: returntocorp/semgrep-action@v1
        with:
          config: p/r2c

Software Composition Analysis

If you are using third-party libraries in your application (…you probably are), then you should run a software composition analysis tool to make sure that you’re not bringing in any security bugs via your dependencies. The JavaScript ecosystem has npm audit which is open source and uses a database of known vulnerabilities to check for issues in the libraries you are using in your code base.

You can scan the dependencies of your serverless application by running individual tools like npm audit, OWASP Dependency-Check, or Snyk.

It is easy to automate software composition analysis tests with GitHub Actions. You can run this type of test on interval, pull request, or every branch push.

YAML
name: npm audit
on:
  pull_request:
  push:
    branches:
      - master
      - 'releases/*'
# on:
#   schedule:
#     - cron: '0 10 * * *'

jobs:
  scan:
    name: npm audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: install dependencies
        run: npm ci
      - uses: oke-py/npm-audit-action@v1.7.1
        with:
          audit_level: moderate
          github_token: ${{ secrets.GITHUB_TOKEN }}
          issue_assignees: oke-py
          issue_labels: vulnerability,test
          dedupe_issues: true

Automating API Security Testing for Serverless

One of the challenges when running scans against any API is tuning the scan to increase coverage. A major advantage of serverless applications that use Amazon’s API Gateway is that it is possible to export the entire API path documentation as an OpenAPI specification.

Shell
aws apigatewayv2 export-api \
--api-id api-id  \
    --output-type YAML  \
    --specification OAS30 \
    --stage-name prod \
    Stage-definition.yaml

You can use the OpenAPI specification file to configure dynamic applications security scanners, such as OWASP ZAP or a more developer focused tool like StackHawk. In StackHawk, for example, you can simply add the OpenAPI spec to the configuration file. Then, when the scanner starts, it will automatically test the API endpoints on your serverless application.

YAML
app:
  openApiConf:
    # Specify the path relative to the host
    path: "/openapi.yaml"

→ If you’re interested in reading more, check out the StackHawk Docs.

The results generated by scanners like StackHawk’s can be used to break builds or alert developers to issues that should be fixed before a release is made. If a finding is found, it is simple to reproduce with a cURL command generator, equipping anyone on the development team to debug and fix the vulnerability.

Add Automated Security Testing to Your Pipeline

Wrap Up

After you configure these automatic security tests to run alongside the rest of your code’s tests, you will have a new level of assurance about the security of the code you are shipping to production. In the future, and as new developers join the team, the best practices for secure coding will be built into the applications tests. Any regressions will be caught quickly and automatically.

Getting started with serverless security testing is easy, with many open source projects and free tools available. We’re biased, but we think the best place to start is a free account with StackHawk. Sign up today or reach out to us at support@stackhawk.com if you have any questions.


Ron Perris  |  April 8, 2021