Analysis of over 1,000 open-source serverless applications revealed that 21% of them have critical vulnerabilities or were misconfigured, according to security researchers. They also cited that six percent had their sensitive data, such as application program interface (API) keys and credentials, stored in publicly accessible repositories.
Serverless applications embody the budding function-as-a-service (FaaS) model, turning cloud computing into a platform that enterprises can use to develop, deploy, and manage their applications without having to set up the necessary infrastructure.
By going “serverless,” developers and enterprises benefit from flexibility and automation. It can also be a scalable and cost-effective way to launch applications as there is no need to provision or maintain dedicated servers or install and manage software or runtime.
What were the most prevalent security issues in serverless apps?
The security researchers noted that most of the vulnerabilities and weaknesses were due to, among others, unsecure sample code being used in real-world applications. They found these security issues to be the most prevalent in open-source serverless apps:
Data injection — in this case, untrusted or unsanitized inputs relayed between an application’s components, such as storage, database, and notification systems
Misconfigured authorization settings in cloud storages
Permissions that an application requests or grants
These security issues, the researchers said, can allow hackers to “manipulate applications and carry out malicious actions.” Web injections such as SQL injection and cross-site scripting (XSS) attacks, for instance, can allow an attacker to gain administrator-level privileges to the application’s database. Improperly configured cloud storage can expose stored personal or mission-critical data to cybercriminals.
Weak authentication and authorization mechanisms can be exploited to execute man-in-the-middle attacks that can let hackers steal personally identifiable information. A serverless application with no security event logging and monitoring features significantly reduces the developer and organization’s capability to respond proactively to incidents such as data breaches and malware attacks.
As with all burgeoning technologies, serverless applications provide opportunities for developers and enterprises. But as the report showed, they can be security risks when improperly implemented. What does this mean for DevOps?
DevOps, which exemplifies security by design, actually complements the value propositions of adopting a serverless architecture. And while running an application in a serverless environment can significantly reduce the operational overhead and security impact on the company, it does not eliminate them. This is especially true for threats that take advantage of vulnerabilities and — as the report showed — poor coding practices.
Both embody the model of shared responsibility, where collaboration — from people and process to technology — is a crucial element in managing and securing applications, the data they process, and the infrastructure that runs them. The underlying components of a serverless application, for instance, should be vetted during the development process. While serverless computing provides agility and flexibility throughout an application’s lifecycle, security shouldn’t be an afterthought.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).