Going serverless is, by and large, a big positive step forward for computing. Despite its name, “serverless” computing isn’t actually free from servers, but instead replaces the need for a physical on-premises server with a cloud computing model that saves companies money and time, while offering superior scalability.
Serverless computing solutions – epitomized by names like Azure Functions, IBM Cloud Functions, Google Cloud Functions, and AWS Lambda – allow organizations to build and deploy applications, but without having to worry about things like capacity planning or configuration. Among other benefits, this means that organizations can bring products to market faster and more efficiently; concentrating their attention on shipping high quality code instead of getting bogged down with operational responsibilities and challenges. In doing so, serverless has proved to be a certifiable game-changer.
However, while serverless computing solves many of the problems traditionally associated with on-prem servers, it also opens up new threats – especially when it comes to different security threats. It’s a reminder of why serverless security is so important and something that companies should strive to get right.
That way they get to enjoy the many advantages of going serverless, without having to fret about the potential downsides.
Serverless security threats
There are various security threats that can be faced by going serverless – from injection attacks to broken authentication to shadow APIs which can expose sensitive data. Some of the weaknesses are the same that you might expect to find with traditional on-prem architectures used to deploy apps. For instance, malicious attacks will seek to inject bad data into applications (so-called injection attacks) to cause problems.
But serverless operates differently. One reason for this is because functions are able to be triggered by the likes of APIs, events in storage systems, events in a queue and more. The result is the opening up of a more complex attack surface that can be targeted by attackers.
Security experts are doing their best to help raise awareness of these issues. For example, the Open Web Application Security Project (OWASP) Serverless Top 10 is a list that seeks to better educate both organizations and practitioners about the potential consequences of common security vulnerabilities with serverless applications. It also seeks to provide basic techniques that can be used to better identify and protect against them.
Traditional defenses are inadequate
One of the biggest challenges when it comes to serverless computing is that many of the legacy security solutions don’t do enough. As one illustration, security scanning is usually aimed at standard applications instead of serverless ones, and solutions like Static Application Security Testing (SAST) can run into problems when dealing with serverless deployments. Certain parts of standard-issue security solution toolkits also fail to work well with serverless architectures, potentially exposing endpoints to attacks. Solutions that are focused on web apps can miss API and serverless vulnerabilities – hence the need for lists like the OWASP Serverless Top 10.
Similarly, the traditional perimeter-based protection doesn’t work because put simply, it is in the wrong place. The complexity of cloud environments – both in their implementation and the requirements of their users – makes the traditional concept of a corporate security perimeter outdated and very possibly dangerous.
Better defend yourself – and your users
Fortunately, lists like the OWASP Serverless Top 10 don’t just limit themselves to sharing the problems that exist with serverless architecture. They also offer good advice on the best ways to solve these problems. Some examples include reviewing third-party libraries so as to find vulnerabilities involving deserialization, implementing different methods of identity and access control, and more.
Another good piece of advice in this area is to minimize the storage of possibly high risk sensitive data. Organizations should carry out a risk assessment of their sensitive data, do their best to minimize its storage, and – most definitely – ensure that they encrypt data that is shared and regularly exchanged or otherwise exposed to other third-party services.
Nonetheless, there’s no doubt that concerns over risks put many companies off going serverless, due to worries that their existing security tools will be (and probably are) unable to adequately protect them. That means they get to take advantage of none of the myriad advantages serverless has to offer. Ultimately, what’s most needed is a targeted security approach designed from the ground up to deal with serverless computing. Providers must offer integrated, but optimized, security for serverless.
The right tools for the job
That means mitigating vulnerabilities with serverless functions so as to prioritize business logic – but without drowning in technical debt. Such solutions can also defend against new attack vectors that emerge in serverless functions. They should be able to offer comprehensive visibility, security at the speed of development, automated mitigation, mitigation of Zero Day threats, and more – in a way that lets organizations harness everything serverless computing has to offer without placing themselves (or their users) at risk.