From the early days of PureSec, we’ve been talking about the fact that our technology was designed to be cross-platform, allowing it to run in any kind of serverless environment. PureSec customers can already deploy our serverless security solution for AWS Lambda and Azure Functions, and as of today, we’re excited to release our first security contribution for Google Cloud Function developers - FunctionShield.
"FaaS developers face a unique set of challenges when securing their applications, and FunctionShield is an important step towards helping them achieve least privilege. We're excited to work with Puresec to ensure their products provide GCF developers a secure platform that remains fast and easy to develop on." (Mike McDonald, Product Manager at Google)
What is FunctionShield?
First, a quick overview of FunctionShield for GCF developers:
FunctionShield is a 100% free Google Cloud Functions security library that equips developers with the ability to easily enforce strict security controls on Google Cloud Functions runtime by addressing 4 common use cases:
Disable outbound internet connectivity (except for Google Cloud resources) from the serverless runtime environment, if such connections are not required
Disable read/write on the /tmp/ directory, if such operations are not required
Disable child process execution, if such execution is not required by the function
Disable read access to the function's handler and prevent source code leakage
In addition to the security protections provided, developers also gain tremendous security visibility when using FunctionShield, even if it's just set to "alert". With FunctionShield deployed in your functions, you can quickly get an idea of what your function is executing, who it is communicating with, and whether or not it is writing to disk.
Why Use FunctionShield?
FunctionShield provides developers with the ability to control & harden their serverless runtime environment against malicious actions. One use-case for using FunctionShield is to mitigate the risk involved in using non-trusted open source packages. You can read more about this use-case in a blog post we recently published.
How Does FunctionShield Work?
FunctionShield uses a proprietary behavioral-based runtime protection engine, which enforces the behavior that you define. FunctionShield lives in and around the serverless language runtime. All you have to do is import the library into your code. No function wrapping required. FunctionShield doesn't wrap your code, or perform any kind of monkey-patching.
Installing & Using FunctionShield
Follow the installation instructions in the FunctionShield web page. Please note that at the moment, FunctionShield for GCF provides supports all available runtimes (Node.js and Python at the time of writing).
Here is a sample Google Cloud Function, which uses FunctionShield and will demonstrate real security triggers:
Logging & Security Visibility
FunctionShield logs are sent directly to your function's Google cloud logs. Here are a few sample logs, demonstrating the log format you should expect: