Skip to main content
HashnodeMiguel's Blog · Serverless · SecurityMiguel's Blog · Serverless · Security

Command Palette

Search for a command to run...

5 Serverless Security Open-Source Tools You Should Use

Published
2 min read
5 Serverless Security Open-Source Tools You Should Use
M
Miguel A. Calles MBA
Part of seriesWhat is Serverless Security and How Do I Start?

There are some wonderful free or open-source tools you can use to improve the security of your serverless projects. We will explore these tools in five areas.

1. Linters

Linters help improve your code by finding common coding flaws. You would typically run them when you create a pull request, create a build, or in your CI/CD.

  • ESLint (Node): https://eslint.org
  • Pylint (Python): https://www.pylint.org
  • golanglint (golang): https://github.com/golang/lint

2. Dependency checkers

Your project might use dependencies, libraries, or packages. Some of these packages might be out-of-date, deprecated, or have known vulnerabilities. A dependency checker can help you find packages that need updating and create pull requests to update them automatically.

  • npm audit (Node): https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
  • Snyk (Node, .Net, Java, Python, and more): https://snyk.io
  • Dependabot (Node, Python, Java, .Net, and more): https://dependabot.com
  • GitHub Dependabot (Node, Python, Java, .Net, and more): https://help.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically

3. AWS IAM Roles

If you are using Amazon Web Services, your projects has IAM roles for your serverless functions. The Serverless Framework automatically creates one IAM role for all the functions in your configuration file. Each function should have its own IAM role to enable the Principle of Least Privilege.

  • serverless-iam-roles-per-function Serverless plugin: https://github.com/functionalone/serverless-iam-roles-per-function
  • serverless-plugin-custom-roles Serverless plugin: https://github.com/AntonBazhal/serverless-plugin-custom-roles
  • Collection of AWS IAM policies for the Serverless Framework: https://github.com/miguel-a-calles-mba/serverless-policies

4. Error Monitoring and Alerting

Your functions may throw an error, but you may not know about it unless you manually monitor the logs or you setup an alerting system.

  • Dashbird: https://dashbird.io
  • Sentry: https://docs.sentry.io/platforms/node/guides/aws-lambda/ and https://github.com/arabold/serverless-sentry-plugin

5. Termination Protection

When you deploy a new AWS CloudFormation stack to production, you might want to enable termination protection to avoid accidentally deleting your stack.

  • serverless-stack-termination-protection Serverless plugin: https://github.com/miguel-a-calles-mba/serverless-stack-termination-protection

Conclusion

You can improve the security of your serverless project by taking advantage of free or open source solutions that are already out there.

Before you go

About the author

Originally published on Secjuice.com

Photo by Patrick Hendry on Unsplash

#serverless#security#aws

What is Serverless Security and How Do I Start?

Part 3 of 8

We will discuss aspects serverless security, and describe what you can do to start securing your serverless application. Visit <https://ServerlessSecurityBook.com> to level up and get the book.

Up next

Insecure Serverless Plugins: Why You Should Inspect the Source Code

The Serverless Framework support numerous plugins—and they are great! They save so much time in deploying our serverless applications. Why reinvent the wheel? This convenience comes with a downside: not all plugins are written securely. We must choos...

More from this blog

M

Miguel's Blog · Serverless · Security

49 posts

Miguel A. Calles is the author of the Serverless Security book, and a Cybersecurity engineer who works on serverless and cloud computing projects.