Nearly All Serverless Application Functions at Risk
August 27, 2018

Protego Labs recently discovered that 98 percent of functions in serverless applications are at risk, with 16 percent considered "serious."

Additionally, most of these functions are provisioned with more permissions than they require which could be removed to improve the security of the function and the application.

“When we analyze functions, we assign a risk score to each function. This is based on the posture weaknesses discovered, and factors in not only the nature of the weakness, but also the context within which it occurs,” explains Hillel Solow, CTO, Protego. “After scanning tens of thousands of functions in live applications, we found that most serverless applications are simply not being deployed as securely as they need to be to minimize risks.”

The greatest security posture issues Protego uncovered are unnecessary permissions, while the remainder are with vulnerable code and configurations. Often, extra permissions are a result of developers or security operators using wildcards (“*”) for permissions rather than itemizing exactly which permissions they need.

Supply chain problems are predominantly with third-party libraries or modules that contain known vulnerabilities. Most of the functions with these problems also have access to resources and services they don’t need, making them excellent targets for attackers.

A small percentage of configuration problems include triggers that are unnecessary and functions with long timeouts that could be shortened to minimize the damage an attacker could do if they get access.

“The good news is these are all mitigable issues,” says Solow. “Serverless applications enable you to configure security permissions on individual functions. This allows you to achieve more granular control than with traditional applications, significantly mitigating the risk if an attacker is able to get access. Serverless applications require far more policy decisions to be made optimally, which can be challenging without the right tools, but if done accurately, these decisions can make serverless applications far more secure than their non-serverless analogs.”

The Latest

November 14, 2018

What to automate? Which parts of the delivery process are good candidates? Which applications will benefit from automation? At first, those sound like silly questions. Automate all your repetitive processes. If you think that you'll do the same thing manually more than once, automate it. Why would you waste your creative potential and knowledge by doing things that are much better done by scripts? Yet, an average company does not adhere to that logic. Why is that? ...

November 13, 2018

I'd love to see more security automation deeply integrated into the development process. Everybody knows since the 1990s that security as an afterthought just doesn't work, yet we keep doing it. The reason, I think, is because it's very hard to automate security ...

November 09, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 5, the final installment, covers deployment and production ...

November 08, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 4 is all about security ...

November 07, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 3 covers the development environment and the infrastructure ...

November 06, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 2 covers the coding process ...

November 05, 2018

Everyone talks about automating the software development lifecycle (SDLC) but the first question should be: What should you automate? With this question in mind, DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 1 starts with by-far the most popular recommendation: Testing ...

October 31, 2018

Halloween is a time for all things spooky, but not when it comes to your mobile app experience. A poor experience can not only scare off your customers but keep them away for good ...

October 30, 2018

As organizations have embraced open source, they have become polyglot — using multiple programming languages and technology stacks to accomplish software and hardware related tasks. Enterprises are caught between the benefits provided by a polyglot environment and the complexities and challenges these environments bring. Ultimately, if the situation remains unchecked, polyglot will kill your enterprise ...

October 29, 2018

Factor 5 of the Twelve-Factor App relates more to processes and advises strictly separating the build and run stages. The emphasis is on identifying and separating each stage of app development, and encouraging automation between each so as to accelerate the process ...

Share this