Twistlock added serverless runtime defense capabilities to its cloud-native security platform. The move provides whitelist-based threat protection to serverless functions running on cloud platforms like Amazon Web Services (AWS) Lambda, Google Cloud Functions, and Microsoft Azure Functions.

John Morello, CTO at Twistlock, noted in a blog post that due to the thin serverless running environment, the Serverless Defender product operates as a “small shim” that takes a small amount of direction from the security platform, enforces that direction at runtime, and logs into normal serverless monitoring tools like AWS’ CloudWatch. That logging ability is important because the short life of some serverless functions can make it difficult to track security issues.

“Basically, Serverless Defender is a small init binary that starts when your function starts, immediately starts your actual function code, and continuously ensures that only that normal function code is allowed to execute,” Morello wrote. “Your code never changes, it’s just not the default init process in your function any longer.”

This thin operating model results in a running overhead of around 4 milliseconds per process invocation and consumes less than 10 kilobytes of RAM. That low overhead is important for serverless deployments as they are based on actual cloud usage and not taken from a pre-bought bundle of compute resources.

Twistlock's serverless model also differs from the company’s container and virtual machine (VM) Defender models that can run multiple processes, store data, and run as if they have access to normal computing resources.

The runtime defense update builds on Twistlock’s move earlier this year in adding the ability to scan serverless images for vulnerabilities to its flagship platform. The company now is able to support the same full lifecycle and full stack protection it offers for containers and virtual machines (VMs).

The serverless computing market today is still in its infancy in terms of actual deployments. But, a recent Gartner report found that more than 20 percent of global enterprises will have deployed serverless technologies by 2020, compared with less than 5 percent today.

Beyond the potential cost savings, serverless is seen as being potentially more secure than containers or VMs for a number of reasons. The technology doesn’t rely on traditional servers, and thus the presence of vulnerable binaries is eliminated; denial of service attacks are limited in scope and become billing issues; and serverless immutability eliminates reliance on potentially compromised servers.

However, serverless is generally more difficult to monitor because of the lack of a centralized server. There’s the potential for a larger attack due to the increased flexibility of serverless. And there remain challenges in securing third-party services during transit.

“These architectures complicate security protection strategies because there’s no OS [operating system] or container to instrument,” said Neil MacDonald, a vice president and distinguished analyst at Gartner, in a recent report. “In most cases, these services are used in conjunction with VM- and container-based architectures, so a traditional (cloud workload protection platform) provides partial protection.”

Serverless security provider PureSec recently noted that 21 percent of open source serverless projects contained at least one critical vulnerability or misconfiguration. The research also found that 6 percent of those projects had application secrets like API keys or credentials available in public code repositories.