A new guide from the Cloud Security Alliance offers mitigations, best practices, and a comparison between traditional applications and their serverless counterparts.
Serverless computing has seen tremendous growth in recent years. This growth was accompanied by a flourishing rich ecosystem of new solutions that offer observability, real-time tracing, deployment frameworks, and application security.
As awareness around serverless security risks started to gain attention, scoffers, and cynics repeated the age-old habit of calling “FUD” — fear, uncertainty and doubt — on any attempt to point out that while serverless offers tremendous value in the form of rapid software development and huge reduction in TCO, there are also new security challenges.
The Evolving Serverless EcosystemOne of the key indicators for a mature technology is the ecosystem that evolves around it. Having a thriving community, extensive documentation, best-practices guides, and tooling is what will drive organizations to trust new technologies and adopt them.
Recently, the Cloud Security Alliance (CSA) joined forces with PureSec, where I am CTO and co-founder, to develop an extensive serverless security guide. The guide draws much of its content from last year’s effort, but with the addition of two important risk classes.
The guide, titled “The 12 Most Critical Risks for Serverless Applications,” was written for both security and development audiences dealing with serverless applications but goes well beyond pointing the risks. It also provides best practices for all major platforms. The risk categories are defined as follows:
Risk 1: Function Event-Data InjectionServerless functions can consume input from different types of event sources, and each event source has its own message format and encoding schemes. Various parts of these event messages may contain attacker-controlled or untrusted inputs that should be carefully inspected.
Risk 2: Broken AuthenticationSince serverless promotes a microservices-oriented system design, applications may contain dozens or even hundreds of functions. Applying robust authentication …
Author: Ory Segal CTO, PureSec