Delinea announced the latest release of DevOps Secrets Vault.
Protego Labs recently discovered that 98 percent of functions in serverless applications are at risk, with 16 percent considered "serious."
Additionally, most of these functions are provisioned with more permissions than they require which could be removed to improve the security of the function and the application.
“When we analyze functions, we assign a risk score to each function. This is based on the posture weaknesses discovered, and factors in not only the nature of the weakness, but also the context within which it occurs,” explains Hillel Solow, CTO, Protego. “After scanning tens of thousands of functions in live applications, we found that most serverless applications are simply not being deployed as securely as they need to be to minimize risks.”
The greatest security posture issues Protego uncovered are unnecessary permissions, while the remainder are with vulnerable code and configurations. Often, extra permissions are a result of developers or security operators using wildcards (“*”) for permissions rather than itemizing exactly which permissions they need.
Supply chain problems are predominantly with third-party libraries or modules that contain known vulnerabilities. Most of the functions with these problems also have access to resources and services they don’t need, making them excellent targets for attackers.
A small percentage of configuration problems include triggers that are unnecessary and functions with long timeouts that could be shortened to minimize the damage an attacker could do if they get access.
“The good news is these are all mitigable issues,” says Solow. “Serverless applications enable you to configure security permissions on individual functions. This allows you to achieve more granular control than with traditional applications, significantly mitigating the risk if an attacker is able to get access. Serverless applications require far more policy decisions to be made optimally, which can be challenging without the right tools, but if done accurately, these decisions can make serverless applications far more secure than their non-serverless analogs.”
Industry News
Jit announced a $38.5 million seed funding round and launched a free beta version which automates product security.
Platform.sh raised $140 million in Series D funding.
Akana by Perforce now offers BlazeMeter to customers, previously a solution with Broadcom Layer7.
Coder announced the release of a new open source project that gives developers and data scientists a consistent, secure, yet flexible way to create cloud workspaces in minutes.
GitGuardian is announcing a series of new features to address developer experience in securing the software development lifecycle.
OctoML released a major platform expansion to accelerate the development of AI-powered applications by eliminating bottlenecks in machine learning deployment.
Snow Software announced new functionality and integrations for Snow Atlas, a purpose-built platform that provides a framework to accelerate data-driven technology decision-making.
Traefik Labs launched Traefik Hub, a new cloud service that eliminates the complexity of management and automation of Kubernetes and Docker networking at scale.
The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the new Open Programmable Infrastructure (OPI) Project.
Docker announced the acquisition of Atomist, a company founded to improve developer productivity and keep cloud native applications safe.
SmartBear released BitBar, an all-in-one web and native mobile app testing solution.
Armory announced general availability of Armory Continuous Deployment-as-a-Service.
Infragistics announced the launch of App Builder On-Prem.
LambdaTest launched Test-at-Scale (TAS), a test intelligence and observability platform, to help development teams with shift-left testing.