Not to freak anyone out, but there’s a good chance your serverless deployment is running with some level of security risk. Serverless security startup Protego pegs that risk at 98 percent.
In a recent scan of tens of thousands of functions in live applications, Protego said it found that nearly all were at some level of risk and that 16 percent of those were considered to be at a “serious” risk.
The firm found that the biggest security issue was unnecessary permissions. These were tied to developers or security operators using “wildcards” for permissions, which are usually group-based, instead of itemizing specific permissions for each individual. Other significant issues included vulnerable code and configurations and vulnerabilities in third-party libraries or modules used to construct serverless-based applications.
Protego CTO Hillel Solow explained that a majority of the functions scanned were from production systems “significantly based on serverless workloads so they are indicative of real risk that is out there, which can be mitigated.”
“These are the first few thousand functions we [have] seen in our private beta,” Solow said. “We think the results are already indicative of a trend.”
The functions in question were running on Amazon Web Services’ (AWS) Lambda platform, which is the most widely used serverless platform and currently the only platform supported by Protego. The company, which emerged from stealth in early May with $2 million in seed funding, will add support for Microsoft Azure and Google Cloud Platform later this year.
The Protego report followed one released earlier this year by serverless security provider PureSec. That report noted that 21 percent of open source serverless projects contained at least one critical vulnerability or misconfiguration. The research also found that 6 percent of those projects had application secrets like API keys or credentials available in public code repositories.
Serverless is seen as being potentially more secure than containers or virtual machines (VMs) for a number of reasons: The technology doesn’t rely on traditional servers, and thus the presence of vulnerable binaries is eliminated; denial of service attacks are limited in scope and become billing issues; and serverless immutability eliminates reliance on potentially compromised servers.
However, serverless is generally more difficult to monitor because of the lack of a centralized server; there’s the potential for a larger attack due to the increased flexibility of serverless; and there remain challenges in securing third-party services during transit.
“These architectures complicate security protection strategies because there’s no OS [operating system] or container to instrument,” said Neil MacDonald, a vice president and distinguished analyst at Gartner, in a recent report. “In most cases, these services are used in conjunction with VM- and container-based architectures, so a traditional (cloud workload protection platform) provides partial protection.”
A number of security vendors have been adding serverless protection to their portfolios as the market for serverless begins to surge. A recent Gartner report found that more than 20 percent of global enterprises will have deployed serverless technologies by 2020, compared with less than 5 percent today.