>_AYSOLI SECURITY HUB
THREAT AREA

Serverless & Microservices

Serverless functions (Lambda, Azure Functions) reduce maintenance effort but shift the security focus completely to the application and IAM layer.

Your Strategy

Each function should only have the permissions it absolutely needs (micro-segmentation at the IAM level). A "God-Role" for all functions is a critical risk.

Best Practices

  • Identity: Use mTLS for communication between microservices.
  • Validation: Validate every event trigger against a strict schema.
  • Scanning: Continuously scan the code of your functions and their dependencies for vulnerabilities.

STRIDE-LM Design Risks

SpoofingS-API-01

Identity Spoofing (API)

Attacker impersonates a legitimate partner service.

TamperingT-API-01

API Parameter Tampering

Manipulation of request parameters to bypass business logic.

RepudiationR-API-01

API Log Manipulation

Concealing malicious API activities.

Information DisclosureI-API-01

Excessive Data Exposure

API returns more data than necessary for the client.

Denial of ServiceD-API-01

Insecure Resource Consumption

Overloading the API due to missing rate limits (DoS).

Lateral MovementL-API-01

Cloud-Pivot via API

Using the API server identity to access internal cloud resources.

Monitoring GapsM-API-01

Hidden API Abuse

Abuse of undocumented or "shadow" APIs.

MITRE ATT&CK® Techniques

Reconnaissance
T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by
API Asset InventoryBaseline ProtectionMedium
CIS: 1.1OWASP: API9
API Security Audit (Logging)Extended ProtectionMedium
CIS: 8.5NIST: PR.PT-1
Initial Access
T1190

Exploit Public-Facing Application

ATT&CK

Exploiting vulnerabilities in internet-facing services.

Mitigated by
Infrastructure as Code (IaC) ScanningExtended ProtectionMedium
CIS: 1.1NIST: PR.IP-1
Mutual TLS (mTLS)Extended ProtectionHigh
CIS: 6.3NIST: PR.DS-2
Strict Schema ValidationBaseline ProtectionMedium
CIS: 16.11OWASP: API6
API Security Audit (Logging)Extended ProtectionMedium
CIS: 8.5NIST: PR.PT-1
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Privilege Escalation
T1548

Abuse Elevation Control Mechanism

ATT&CK

Bypassing mechanisms for privilege escalation (e.g., UAC).

Mitigated by
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Credential Access
T1557

Adversary-in-the-Middle

ATT&CK

Intercepting communication between two parties.

Mitigated by
JWT Signature VerificationBaseline ProtectionMedium
NIST: PR.AC-1OWASP: API2
Mutual TLS (mTLS)Extended ProtectionHigh
CIS: 6.3NIST: PR.DS-2
T1528

Steal Application Access Token

ATT&CK

Theft of tokens to bypass authentication.

Mitigated by
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
JWT Signature VerificationBaseline ProtectionMedium
NIST: PR.AC-1OWASP: API2
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Infrastructure as Code (IaC) ScanningExtended ProtectionMedium
CIS: 1.1NIST: PR.IP-1
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
API Security Audit (Logging)Extended ProtectionMedium
CIS: 8.5NIST: PR.PT-1
Command & Control
T1071-001

Application Layer Protocol

ATT&CK

Misuse of legitimate web protocols (HTTP/S) for C2 communication.

Mitigated by
Egress Filtering (SSRF Protection)Extended ProtectionMedium
CIS: 12.2OWASP: A10:2021
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
API Security Audit (Logging)Extended ProtectionMedium
CIS: 8.5NIST: PR.PT-1

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation