Analysis of over 1,000 open-source serverless applications revealed that 21% of them have critical vulnerabilities or were misconfigured, according to security researchers. They also cited that six percent had their sensitive data, such as application program interface (API) keys and credentials, stored in publicly accessible repositories.
[Trend Micro research paper: Threats to serverless applications and how to mitigate them]
“Serverless” is a bit of a misnomer. Applications run on a third-party cloud infrastructure, such as Amazon Web Services’ (AWS) Lambda, Microsoft’s Azure Functions or Google Cloud Functions. They don’t rely on a dedicated server, virtual machine or container; only the application’s code runs on a cloud server until it completes its task.
Serverless applications embody the budding function-as-a-service (FaaS) model, turning cloud computing into a platform that enterprises can use to develop, deploy, and manage their applications without having to set up the necessary infrastructure.
By going “serverless,” developers and enterprises benefit from flexibility and automation. It can also be a scalable and cost-effective way to launch applications as there is no need to provision or maintain dedicated servers or install and manage software or runtime.
[Expert Insights: Moving to serverless cloud apps]
The security researchers noted that most of the vulnerabilities and weaknesses were due to, among others, unsecure sample code being used in real-world applications. They found these security issues to be the most prevalent in open-source serverless apps:
[Security by Design: Best practices for developers securing mobile apps]
These security issues, the researchers said, can allow hackers to “manipulate applications and carry out malicious actions.” Web injections such as SQL injection and cross-site scripting (XSS) attacks, for instance, can allow an attacker to gain administrator-level privileges to the application’s database. Improperly configured cloud storage can expose stored personal or mission-critical data to cybercriminals.
Weak authentication and authorization mechanisms can be exploited to execute man-in-the-middle attacks that can let hackers steal personally identifiable information. A serverless application with no security event logging and monitoring features significantly reduces the developer and organization’s capability to respond proactively to incidents such as data breaches and malware attacks.
[Expert Insights: How DevOps can be a model for effective cybersecurity]
As with all burgeoning technologies, serverless applications provide opportunities for developers and enterprises. But as the report showed, they can be security risks when improperly implemented. What does this mean for DevOps?
DevOps, which exemplifies security by design, actually complements the value propositions of adopting a serverless architecture. And while running an application in a serverless environment can significantly reduce the operational overhead and security impact on the company, it does not eliminate them. This is especially true for threats that take advantage of vulnerabilities and — as the report showed — poor coding practices.
Both embody the model of shared responsibility, where collaboration — from people and process to technology — is a crucial element in managing and securing applications, the data they process, and the infrastructure that runs them. The underlying components of a serverless application, for instance, should be vetted during the development process. While serverless computing provides agility and flexibility throughout an application’s lifecycle, security shouldn’t be an afterthought.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.