Serverless Security Risks Surface
Emerging serverless frameworks that dispense with server management to run cloud-native workloads continue to gain traction in the enterprise while at the same time drawing scrutiny from security specialists who report a growing number of vulnerabilities as serverless applications are rolled out.
An audit released this week by an Israeli security company found that roughly one in five serverless applications contain “critical vulnerabilities or misconfigurations.” PureSec Ltd. of Tel Aviv said its audit of open-source serverless projects revealed that 21 percent contained at least one security risk that would allow attackers to manipulate an application for malicious purposes.
The security specialist examined roughly 1,000 serverless projects deployed on Amazon Web Services’ Lambdaserverless computing platform. The pay-as-you-go service, also referred to as functions-as-a-service (FaaS), is designed to allocate computing resources as needed to run a customer’s code rather than charging upfront for dedicated capacity.
PureSec said it defined an application security taxonomy ranking the top ten FaaS security risks. The Lambda functions were written in a variety of runtime languages. The audit found that most vulnerabilities resulted from “poor development practices, lack of serverless security education and by copying and pasting insecure sample code into real world projects,” the security firm said.
PureSec, which offers a serverless security runtime environment, not coincidentally announced on Wednesday (April 4) the beta launch of a security tool for AWS Lambda customers. The company become the first AWS Lambda security partner last month.
The audit results “are jarring but not surprising as organizations adjust to the unique challenges of serverless application security," said Ory Segal, PureSec CTO and co-founder. "The traditional models of application security and cloud workload protection solutions aren't effective for serverless architectures.”
The security audit underscores the tradeoffs between the convenience and cost savings of the serverless architecture versus a new set of challenges for securing vulnerable cloud-native applications. PureSec notes that serverless providers remain responsible for securing datacenters, networks, servers, operating systems and their configurations. However, application owners are still responsible for code, data and application-layer configurations.
One consequence of serverless applications is an increased “attack surface” since serverless functions use data from a range of sources that include APIs, cloud storage, message queues, Internet of Things device communications and others.
“Many software developers and architects have yet to gain enough experience with the security risks and appropriate security protections required to secure such applications,” PureSec noted.
PureSec’s list of the top security risks in serverless is architectures is here.
Other security analysts note that the underlying concept behind serverless functions is defining an API for providing basic services within a larger application. “By decoupling the API from the core business logic, security paradigms which would normally apply to a discrete application at a higher level now need to be implemented in the API function,” noted Tim Mackey, a security specialist with Black Duck.
While the PureSec security audit focused on open-source serverless projects, Mackey noted that “this risk potentially exists in any API regardless of whether it’s considered serverless.”