PureSec is offering a free serverless security protection library for Amazon Web Services (AWS) Lambda functions. The move comes as the serverless security space is attracting increased attention from established players and new entrants.
The PureSec FunctionShield library allows developers to tighten security behavior of serverless runtimes and protect against unwanted activities. The library can be installed as a code dependency that allows developers to use code to define a protection posture. It also provides real-time security forensic information from inside of the serverless runtime that is directed into the AWS CloudWatch logging service.
PureSec CTO and Co-Founder Ory Segal explained that the vendor released the library as a “contribution to the serverless community.” He said that it can be downloaded in five minutes and is not limited to current PureSec customers.
“The main reason for this was to help new developers who are making their first steps in serverless with gaining confidence in these architectures,” Segal said. “When using serverless you lose some visibility and control over the runtime environment, which make some developers feel ill-at-ease.”
Current support is limited to Javascript-based Node.js runtime and Python programming language functions running on AWS Lambda. Though that shouldn’t be much of an issue as the Lambda platform dominates the serverless computing space.
PureSec noted that some companies have been taking alternate steps to isolate their sensitive AWS Lambda functions. This includes the use of a virtual private cloud (VPC) and using a network address isolation (NAT) gateway to monitor outbound traffic.
However, the vendor said that its platform is superior to this model because it allows developers to disable unnecessary outbound internet connections, disable unnecessary disk operations, and disable shell process executions that are not needed by a function.
Segal explained that the free library targets these three use cases that “we’ve heard people mention over and over.” However, he noted that the free version does not include the “enterprise-grade features that one would expect from an end-to-end serverless security platform” and is “definitely not” a full-featured platform that can deal with all serverless security threats.
Serverless Risks
Serverless potentially is more secure than containers or virtual machines (VMs) for a number of reasons. The technology doesn’t rely on traditional servers, and thus the presence of vulnerable binaries is eliminated; denial of service attacks are limited in scope and become billing issues; and serverless immutability eliminates reliance on potentially compromised servers.
However, serverless is generally more difficult to monitor because of the lack of a centralized server. There’s the potential for a larger attack due to the increased flexibility of serverless. And there remain challenges in securing third-party services during transit.
“These architectures complicate security protection strategies because there’s no OS [operating system] or container to instrument,” said Neil MacDonald, a vice president and distinguished analyst at Gartner, in a recent report. “In most cases, these services are used in conjunction with VM- and container-based architectures, so a traditional (cloud workload protection platform) provides partial protection.”
PureSec earlier this year released a report that found that 21 percent of open source serverless projects contained at least one critical vulnerability or misconfiguration. The research also found that 6 percent of those projects had application secrets like API keys or credentials available in public code repositories.
That report was followed by one from Protego that found 98 percent of serverless deployments had some level of security risk and that 16 percent of those were considered to be at a “serious” risk.
Serverless Security Space
That risk – and opportunity – of serverless security is creating interest from established players in the container ecosystem and new entrants that are focused exclusively on serverless.
Twistlock, which comes from the container security ecosystem, has been adding serverless platform support. The vendor in June added serverless runtime defense capabilities to its cloud-native security platform. That move provides whitelist-based threat protection to serverless functions running on cloud platforms like AWS Lambda, Google Cloud Functions, and Microsoft Azure Functions.
Protego emerged from stealth mode in May with $2 million in funding and a focus on the serverless security space. Protego Co-Founder and CTO Hillel Solow said he sees the company’s efforts as a compliment to the embedded security efforts offered by the large cloud providers.
“We worry more about the pure-play providers since those with a broader focus can overlook some of gaps that make serverless different from other cloud platforms,” Solow said.
A Gartner report found that more than 20 percent of global enterprises will deploy serverless technologies by 2020 compared with less than 5 percent today.