When I was in Israel last year, I met up with the team at PureSec, an early stage company that is focused on ensuring that serverless computing remains secure. As a new and emerging technology area, serverless (also known as Functions as a Service, or FaaS) has some security aspects that are subtly different from regular physical or virtualized computing. PureSec was launched to leverage this opportunity.
12 months later and PureSec is still going and has recently appointed a new CTO, Ory Segal. Most recently at Akamai, Segal has an extensive security background – he was a founding member of Sanctum’s Security Team, one of the world’s first application security research groups (originally known as BLACKWATCH LABS ). His team was directly responsible for generating awareness of many web vulnerabilities, in the early days of Application Security. Sanctum invented the first Web application firewall – APPSHIELD, and the first commercial Web application scanning software – APPSCAN. After the merger with Watchfire and acquisition by IBM, Ory served as a Security Products Architect and the product leader of AppScan at IBM. There, Ory was part of the development of Dynamic Application Security Testing, Static Analysis for Security and “Glassbox” (IAST) scanning technology.
Anyway, this credibility when it comes to security is being put to good use in the field of serverless and Segal and PureSec has just published a new report looking at the top 10 risks for applications built on top of the various different serverless offerings. The research was mainly gathered from public projects hosted on GitHub. Segal and his team scanned about 5,000 serverless functions and added that to feedback and data from partners and a number of serverless thought leaders.
PureSec didn’t focus on any particular serverless offerings (of which there are more every day: AWS Lambda, Azure Functions, Google Cloud Functions and IBM BlueMix Cloud Functions among them). The report itself goes beyond simple detailing risks and offers some mitigations, best-practices and a comparison between traditional applications to their serverless counterparts.
And so, without further ado, here are the risks that PureSec determined were the most severe and prevalent in serverless applications today :
- Function Event Data Injection
- Broken Authentication
- Insecure Serverless Deployment Configuration
- Over-Privileged Function Permissions & Roles
- Inadequate Function Monitoring & Logging
- Insecure 3rd. Party Dependencies
- Insecure Application Secrets Storage
- Denial of Service & Financial Resource Exhaustion
- Serverless Function Execution Flow Manipulation
- Improper Exception Handling & Verobe Error Messages
Commenting on the findings from this research, Segal speaks to the growth of serverless and the attendant lack of security awareness:
Serverless architectures have skyrocketed in the last couple of years with an annual growth rate of over 700%. Our research shows that serverless related software downloads experience exponential growth, yet at the same time there’s a huge gap in security knowledge around serverless, when compared to traditional applications. After researching serverless architectures for months, working with partners and customers and collecting feedback from serverless aficionados, we compiled this top ten list to help organizations with adopting this new and promising technology, while staying secure. This document will be an ongoing effort, which will evolve over time as we collect more intelligence and knowledge on the risks involved with serverless architectures.
MyPOV
Serverless (of FaaS, if you prefer) is a truly exciting technology development and arguably the ultimate example of focusing on outcomes rather than on wrangling servers. But, like with any technological innovation, there are pitfalls. Having a company like PureSec focus on this new area and security risks around it, and having them develop resources like this report will help practitioners to feel safer leveraging serverless for their organizations.