There are three general ways an attacker may subvert serverless function logic:
- By controlling event data (input) during function invocation
- By modifying the code or configuration of serverless functions
- By compromising external resources with which the function interacts while it executes
In order to help secure serverless functions from application layer attacks, PureSec launched the world’s first and most comprehensive serverless security platform in April 2018. The platform provides tight integration into the serverless CI/CD process through a unique static analyzer which flags and automatically remediates over-permissive IAM roles, detects known vulnerable 3rd. party dependencies, as well as application secrets that are stored insecurely in the code.
In addition to the serverless static analyzer, PureSec launched the world’s first serverless runtime protection, a unique serverless-native runtime protection engine capable of detecting malicious event inputs, and prevent functions from performing malicious actions through behavioral analysis.
The capabilities of the PureSec serverless security platform mitigate the risks related to items #1 and #3 above, however, we didn’t want to stop there - today, we are announcing a new capability available as an alpha-release to select customers - Function Code Integrity for AWS Lambda security.
The purpose of this capability is to provide code integrity and visibility through continuous monitoring of deployed (and executed) functions. When PureSec customers integrate our platform into their CI/CD process, the platform will perform code signing on scanned/deployed functions. The platform will then perform periodic checks of the deployed functions, to make sure that they match their known signature. In addition, PureSec will provide alerts on unknown/rogue functions, or functions with different code integrity signatures. Similar checks will occur periodically on invoked functions - in order to make sure that they were not tampered with.
Alerts and notifications from the new capability will be available to customers through the PureSec web management console, and through the native cloud provider log facilities (e.g. AWS CloudWatch). Additional notifications can also be consumed through other supported integrations of our platform.