Serverless Framework Risks: 7 Common Security Threats to Look Out For
Originally posted on https://www.protego.io/serverless-framework-flaws-7-common-security-threats-to-look-out-for/
According to a study by Gartner, 2019 will be the year of the cloud. The study estimates that global public cloud-related revenues will climb 17.5% this year. While it seems like every year is the “year of the cloud,” there is something about this year in particular that sets it apart; the year of serverless.
The introduction of the serverless framework is one of the most logical steps in the evolution of the cloud. Serverless architectures remove the need for an “always-on” server by incorporating Backend-as-a-Service (BaaS) and Functions-as-a-Service (FaaS) platforms.
As with each technical evolution, organizations need to evaluate how their operational and security models must change in light of the new technology in order to reach the numerous benefits.
If you want to deploy your new serverless environment with ease, you need to rethink these critical areas. Keep reading for the top 7 security risks you might run into with your new serverless framework.
1. More Attack Surfaces
One of the hallmarks of serverless is that your data will be consumed by multiple event sources. This opens you up to attacks on multiple fronts. From APIs to cloud storage, your risk of an attack increases with every event source you run on your system.
At the same time as the number of attack vectors increases, so too does the complexity of your attack surfaces. That may cause issues during system implementation. With so many surfaces, organizations often risk misconfiguration during implementation.
Of course, having an application broken up into smaller segments or functions makes it more difficult for attackers to penetrate the application also making it a security advantage. To fully reach this advantage, organizations need to apply application hardening, configuring each function to the least privilege role. This ensures the function does not have any more permissions then what is needed so it is not opened up to additional attacks on multiple fronts.
2. Increased System Complexity
In addition to a more complex attack surface, going serverless contributes to an increase in the overall complexity of your new system. Visualization and monitoring of applications are particularly difficult with serverless infrastructures.
Everything you integrate with your system must be prepared to work with a non-typical software environment. And improper event logs or function logs will almost always lead to delays or mistakes during troubleshooting. This can often mean the difference between disaster and disaster averted when dealing with security problems.
The more you are able to seamlessly monitor and improve visibility of your serverless applications, without impacting performance, the better for your security posture.
3. Security Testing Complexity
With a typical setup, you can automate security testing for your standard applications. But serverless infrastructures are different. Security testing is highly complex. One cannot apply the traditional AppSec approach to serverless frameworks as they are vastly different.
Security testing, especially during integrations, is more important for serverless environments than other architectures. This is because each unit of integration is much smaller than with other infrastructures.
4. Function Event-Data Injection
Moving in-application, function event-data injection is the most critical security error that you’ll run across when going serverless. Unlike with a standard application, issues arise not only from untrusted input passing directly to an interpreter. Function event-data injections can occur beyond an error due to direct user input.
Serverless architecture runs the risk of a web API call causing function event-data injections. But web API calls aren’t all. Cloud storage events, changes to code, and even a simple email can trigger a serverless function. A traditional Web Application Firewall does not work alone to protect serverless applications- more protection is needed around each function.
5. Broken Authentication
As we’ve mentioned several times, a major feature of serverless architecture is the sheer number of events and functions utilized. Many of these functions have a distinct purpose and utilize distinct source types. All of these disparate functions and events are woven together to form your architecture.
So you can see why trying to input security authentication systems for each component is a complex and highly sensitive process. Most in-house and even outsourced IT groups don’t have the expertise to build out a proper authentication scheme.
Secure Your Serverless Architecture
Experts claim that going serverless produce high ROIs, reduce complexity for your in-house IT team, and even eliminate the need for in-house engineers or IT people at all. This is all true, but the ones taking full advantage of all these benefits, are also maximizing their serverless framework.
That’s where Protego comes in.
Looking for the best serverless security on the market? Check out our serverless security solutions and find out what it’s like to use the first-ever comprehensive security solutions built with serverless environments in mind.