Securing Serverless Applications Against the Most Critical Risks
If you’re a developer working in a cloud environment, there’s a good chance that you’ve either started thinking about serverless computing or have already started to deploy it. And why not? Unlike VMs or container clusters, serverless functions allow you to delegate infrastructure management to the cloud provider, freeing you to do what you do best—development. They’re “pay-as-you-go” (sort of like taking an Uber right when you need it instead of buying or renting a car). Cool stuff.
The Cloud Native Computing Foundation (CNCF) defines serverless computing as “the concept of building and running applications that do not require server management. It describes a finer-grained deployment model where applications, bundled as one or more functions, are uploaded to a platform and then executed, scaled, and billed in response to the exact demand needed at the moment.”
There are two main types of serverless functions: Functions-as-a-Service, which is event driven (triggered by events or HTTPS requests) and Backend-as-a-Service, which are third-party and API based and can offer core sets of functionalities. Both types confer the advantage of flexible scalability and the fact that you don’t pay for computing resources when they’re not in use.
When should you consider using serverless functions?
A CNCF whitepaper suggests the following use cases as optimal for serverless:
- When the workload is asynchronous, concurrent, easy to parallelize into independent units of work
- Infrequent or has sporadic demand, with large unpredictable variance in scaling requirements
- Stateless, ephemeral, without a major need for instantaneous cold start time
- Highly dynamic in terms of changing business requirements that drive a need for accelerated developer velocity
The cost of convenience
Despite its benefits, serverless computing comes with a few downsides, with security topping the list. While it’s true that serverless computing shifts some of the security burden on to the cloud providers (such as patching, configuring infrastructure, and setting up account management), it also means that you have less visibility, making it more difficult to identify vulnerabilities or detect attacks. Their ephemeral nature complicates the problem even more. Traditional security approaches are often inadequate here. Serverless functions often violate legacy security controls and pave the way for vulnerabilities.
Here are just a few of the types of threats posed by serverless functions:
- Overprivileged functions (make sure you’re always following the principle of least privilege)
- Broken authentication
- Inadequate monitoring and logging
- Insecure third-party dependencies
- Event-level injection (this might include untrusted inputs in application calls or code modifications—not just API calls)
- Insecure code/security misconfiguration that leads to application-level attacks
- If your environment is attacked, it becomes difficult to track down the source (because the function is ephemeral)
The bottom line is that while serverless computing offers many valid benefits, you’ll need a security solution in place to ensure that the risks won’t outweigh them.
Policy-based, environment-level security
As we discussed earlier, one of the problems with securing serverless functions is that they are ephemeral, making them hard to monitor and making security problems difficult to diagnose. One way to approach this is to implement policies and permissions that can be extended across your entire environment.
For example, you might want to define a policy that requires every function to have adequate authorization or that it does not expose secrets or sensitive data. If you were able to detect serverless functions that violated these policies, you could potentially kill them before they presented unacceptable risks. If you were able to automatically apply this policy across your entire environment, you’d ensure consistent security and significantly lower your risk profile.
Panoptica lets you do just that.
Here’s how it works: after connecting it to your cloud account*, Panoptica scans your serverless functions for security issues and vulnerabilities and gives them an internal risk score, ranking them based on the score. The score takes the following into account:
- The presence of secrets—such as keys and passwords—in the functions code or environment variables
- Code vulnerabilities in open-source packages or dependencies
- Inappropriate or excessive permissions granted to functions (providing remediation guidance based on the least-privilege model)
- Functions with public-access exposure and access to data sources that might be targets for exfiltration
- "Dead," inactive functions
- Authentication and authorization of functions, verifying identified and authorized function triggers
You can manually trigger a scan at any time, or you can schedule scans to be run at regular intervals. The scan will check all functions in the account (the specific region) and indicate findings in the Functions tab (see illustration, below). The scan is done in the user's cloud account (using a function added to the account when the account is added). The function code is not examined and does not leave the account.
You can configure the policies, customizing the types of risks that apply to your environment. If Panoptica’s risk score rises to an unacceptable level, you can set it to kill the process and alert you—letting you know exactly which serverless function triggered the alert. You can drill down to show details, including security risks (aggregated risk score) and known code-vulnerability findings (see illustration, below). Pretty slick.
Ready to learn more about Panoptica, including its serverless security features? Check out a quick point-and-click demo. If you have a Kubernetes cluster installed anywhere you can try out Panoptica’s free tier (no credit-card required—go to the Panoptica website and click on the “Sign Up” button in the top right corner of the page) and use our Quick Start to connect Panoptica to your cluster. No cluster? No problem! Play in our Sandbox, which will help you connect to a pre-defined cluster and lead you through the various features, including serverless security.
*While Panoptica currently only supports AWS Lambda, it will soon also be available for Microsoft Azure Function and Google Cloud Function.