Serverless Computing Security Risks

Reading time: 7 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Serverless computing is taking off. By some estimates, many enterprises that are using public cloud have embraced serverless computing. As TheNewStack’s Lawrence Hecht wrote, “After digging in, we found that the survey says 70 percent of enterprises have migrated a significant number of workloads to the public cloud. Among this group, 39 percent of using serverless, 40 percent are using containers and 34 percent are using container orchestration.”

That was a little less than a year ago. I’m sure today the number is considerably higher.

It’s all for good reason. As organizations move to virtualization, containerization and cloud they are looking for ways to streamline efficiencies, cut costs, and build a more agile cloud environment. That’s precisely the value serverless provides.

Serverless computing, also known as Function-as-a-Service (FaaS), is when organizations are able to obtain some function provided by an application without having to build and maintain the underlying infrastructure — namely servers — necessary to run and manage an application.

Serverless computing is a form of cloud computing where the cloud provider automatically manages the servers requires to provide a service. While service providers can employ a serverless platform to deliver some service to customers, we’re focused on enterprise use where developers are accessing a serverless platform from one of the leading providers, such as Amazon Lambda.

According to the Cloud Native Computing Foundation, there are two ways the serverless platform is used:

Functions-as-a-Service (FaaS), which typically provides event-driven computing. Developers run and manage application code with functions that are triggered by events or HTTP requests. Developers deploy small units of code to the FaaS, which are executed as needed as discrete actions, scaling without the need to manage servers or any other underlying infrastructure.

Backend-as-a-Service (BaaS), which are third-party API-based services that replace core subsets of functionality in an application. Because those APIs are provided as a service that auto-scales and operates transparently, this appears to the developer to be serverless.

The potential security benefits of serverless would seem apparent: with fewer servers in need of being patched, secure, or to make certain that it’s properly configured one would think it would reduce the attack service and increase security. Well, not so fast.

In The Register’s story, Hey cool, you went serverless. Now you just have to worry about all of those stale functions. “And yet in the shadows lurks another risk. Vulnerable libraries, fetched from registries such as Maven and npm, are embedded in our functions. As demonstrated by the Equifax breachSpring Break and more, these packages are just as prevalent and can be just as vulnerable as servers.”

These packages fall into our blind spot in the world of serverless. They are missed by both the platform and the application owners, falling into the twilight zone between infrastructure and code. As FaaS rises in adoption, and functions get deployed en masse, these functions can grow stale and vulnerable. So are unpatched functions the new unpatched servers?”

It could be.

According to a report published earlier by serverless security vendor Puresec, serverless computing does come with considerable risks, including increased attack surface and attack surface complexity, increases overall complexity of the environment, and traditional security controls such as Firewall, web application firewall, IPS/IDS systems fall short.

That sounds like enough risk to deal with, but there’s more, according to Puresec, especially when it comes to application security. “Performing security testing for serverless architectures is more complex than testing standard applications, especially when such applications interact with remote 3rd party services or with back-end cloud services such as NoSQL databases, cloud storage, or stream processing services. In addition, automated scanning tools are currently not adapted to scanning serverless applications.”

Serverless computing will be a major part of computing in the years ahead, and enterprises better get their eyes wide open when it comes to its security implications. A good place to start is this paper by Puresec, the Ten Most Critical Security risks in Serverless Architectures.