Python has a huge open-source ecosystem with many high-quality packages providing functionality useful in many scenarios. The rate of security issues in these packages is not unusually high, but even so the use of relatively un-audited third-party packages contributed by unknown individuals can present business risks in terms of data loss, data exfiltration, disruption to other business systems, intentional modification of business logic etc. It is impractical to completely remove such risks but they can be reduced through architectural approaches.
Here we review how an architectural approach of "serverless functions" that has recently gained in popularity for several other reasons (such as fast horizontal solubility) also can provide an architecture for securely using third-party python packages.
Serverless functions
Serverless functions are exemplified by AWS Lambda and the Azure Function App services. Their relevant characteristics are:
- They are stateless (or more precisely reverentially transparent, i.e., they behave as if they are stateless)
- They respond to external events (such as a HTTP request, or new data in a queue)
- There is a single event/response cycle
This combination of characteristic means these functions are far less tied to a particular computer, making them easy to deploy automatically and as need by cloud computing providers.
Network Isolation
Since the executable images of stateless functions (usually containers) are built ahead and independently of their invocation, the functions do not need access to general internet resources. In fact they can easily be set up so that only the requestor is able to access them and so that all outbound internet connections are blocked.
Data Isolation
Predictable, long-lived software build/configuration
The execution image and environment for serverless functions is pre-built and not changed over time. This reduces the possibility of software supply chain attacks as well as reducing maintenance needs.
Atomic interaction
Since clients interact with stateless functions on an atomic and reverentially transparent assumptions they are easier to debug in the overall system and it is easier to contain any flaws in the logic.