Nearly All Serverless Application Functions at Risk
August 27, 2018

Protego Labs recently discovered that 98 percent of functions in serverless applications are at risk, with 16 percent considered "serious."

Additionally, most of these functions are provisioned with more permissions than they require which could be removed to improve the security of the function and the application.

“When we analyze functions, we assign a risk score to each function. This is based on the posture weaknesses discovered, and factors in not only the nature of the weakness, but also the context within which it occurs,” explains Hillel Solow, CTO, Protego. “After scanning tens of thousands of functions in live applications, we found that most serverless applications are simply not being deployed as securely as they need to be to minimize risks.”

The greatest security posture issues Protego uncovered are unnecessary permissions, while the remainder are with vulnerable code and configurations. Often, extra permissions are a result of developers or security operators using wildcards (“*”) for permissions rather than itemizing exactly which permissions they need.

Supply chain problems are predominantly with third-party libraries or modules that contain known vulnerabilities. Most of the functions with these problems also have access to resources and services they don’t need, making them excellent targets for attackers.

A small percentage of configuration problems include triggers that are unnecessary and functions with long timeouts that could be shortened to minimize the damage an attacker could do if they get access.

“The good news is these are all mitigable issues,” says Solow. “Serverless applications enable you to configure security permissions on individual functions. This allows you to achieve more granular control than with traditional applications, significantly mitigating the risk if an attacker is able to get access. Serverless applications require far more policy decisions to be made optimally, which can be challenging without the right tools, but if done accurately, these decisions can make serverless applications far more secure than their non-serverless analogs.”

Share this

Industry News

April 14, 2021

SmartBear has integrated TestComplete, its UI test automation tool, with BitBar, its native mobile device cloud.

April 14, 2021

Elastic announced an expanded strategic partnership with Confluent to deliver the best integrated product experience to the Apache Kafka and Elasticsearch community.

April 14, 2021

Threat Stack announced its ability to support AWS Graviton2-based instances through the Threat Stack Cloud Security Platform.

April 13, 2021

Broadcom and Google Cloud announced a strategic collaboration to accelerate innovation and strengthen cloud services integration within the core software franchises of Broadcom.

April 13, 2021

Nylas announced the launch of Components, JavaScript UI/UX solutions that allow developers to bring productivity features to market faster without needing to design front-end elements from scratch.

April 13, 2021

Perforce Software announces its new version control desktop client — Helix Sync — enabling non-coders such as artists and designers to version digital assets, with a simple drag-and-drop UI.

April 12, 2021

ShiftLeft introduced ShiftLeft CORE, a unified code security platform.

April 12, 2021

GrammaTech announced a new version of its CodeSonar SAST (static application security testing) product that helps developers build safer and more secure code without disrupting workflows.

April 12, 2021

Panaya announced a strategic partnership with Being Guided, a Salesforce Consulting Partner, specializing in the CRM and Salesforce ecosystem, to bring Panaya's ForeSight solution to a wider audience.

April 08, 2021

Palo Alto Networks announced the second generation of Checkov, the static analysis tool for infrastructure as code (IaC).

April 08, 2021

Postman now allows any team with up to three members to collaborate in Postman with unlimited shared workspaces and unlimited shared requests at no cost.

April 08, 2021

Taos, an IBM company, has announced 24x5 managed service availability.

April 07, 2021

VMware unveiled expanded cloud workload protection capabilities to deliver security for containers and Kubernetes.

April 07, 2021

Catapult CX is launching the DevOps Institute’s (DOI) Assessment of DevOps Capabilities (ADOC).

April 07, 2021

Equinix announced that Tinkerbell, an all-in-one open source bare metal provisioning platform, has added significant new features since joining the Cloud Native Computing Foundation (CNCF) Sandbox program.