As we're nearing the end of the year, it's time to look back and reflect on all the great things achieved during 2018. This year was remarkable for the Serverless security space, for our customers, and for the PureSec team.
Here are our highlights from 2018:
- Serverless Top 10 Guide: we opened 2018 with releasing the first ever Serverless Security Top 10 guide. The guide was a joint effort between many industry thought leaders and the PureSec team, and was very well received by the media and community. Here are just a few notable mentions: ZDnet, SecurityWeek, Serverless.com and DarkReading
- The Serverless Security Mind-shift: in January we launched a new blog series titled "Securing Serverless", which covered many of the obstacles related to application security in serverless, such as the need for serverless-native runtime protections
- Best Serverless Security Award: PureSec won the "Best Serverless Security" award from the Cybersecurity Excellence Award competition.
- AWS Lambda Security Partnership: in February, PureSec became the first AWS Lambda security partner. This was a significant milestone in our way of establishing and leading the new "serverless security" industry (Link)
- Serverless ReDoS Weakness: Our threat research team releases the first ReDoS vulnerability (CVE-2018-7560) related to an NPM package specifically created for use with AWS Lambda (advisory)
- Defining the "Serverless Security Platform": PureSec defines its vision of what makes a good serverless security solution - the 6 principles that guided us in designing our platform
- How Big Is The Serverless Security Problem? PureSec threat research team ran a survey across 1,000 open-source serverless projects, and exposed that 21% of them contained one or more critical vulnerabilities or misconfigurations, allowing attackers to manipulate applications and perform various malicious actions. (Link)
- Unveiling PureSec Serverless Security Platform for AWS Lambda, v1.0 Beta: for the first time, organizations using AWS Lambda could deploy a serverless-native application security solution, which provides full lifecycle security - hardening configurations and IAM permissions, applying event-data inspection against injection based attacks, and providing behavioral protection for functions (Link)
- Tech preview of PureSec Serverless Security Platform for Azure Functions: PureSec serverless security platform tech preview for Azure Functions was presented live on stage at the Microsoft Build 2018 conference in Seattle (Video)
- Serverless Crypto Jacking: sounds trivial right? well, it wasn't back then. Our threat research team releases a paper demonstrating how malicious users can abuse weaknesses in serverless code to run crypto-mining malware in serverless-scale (blogpost Link, TheRegister article, TechRepublic article)
- The 1st. Serverless Security Survey: in an attempt to gauge the state of serverless security, PureSec conducted a survey among 304 technology professionals and found out that 35% of the companies have no security guidelines or tools for securing their serverless applications (RESULTS)
- PureSec SSP v1.0 general availability: our flagship product launches and becomes the world's first serverless-native application security solution (TechCrunch article)
- FunctionShield: in an effort to help developers jump on the serverless bandwagon with confidence, we released a free security library for AWS Lambda developers. Using the library, developers can control certain runtime security attributes that were previously impossible to control (LINK)
- Apache OpenWhisk Security Advisory: PureSec threat research team helped secure Apache OpenWhisk (an open source serverless platform) by discovering a critical weakness and providing a security fix. This is probably the first ever CVE related directly to a serverless security platform that was published. (Advisory, CVE-2018-11756, CVE-2018-11757, eWeek article, TheRegister article, SecurityWeek article, SCMagazine article)
- OWASP Cloud-Native Top 10: PureSec launches the OWASP Cloud-Native top 10 project, covering everything Cloud-Native, from serverless to containers and micro-services (Link)
- Series A Funding: PureSec raises $7M in series A funding.
- PureSec wins the 'LambdaShell' Bounty Hunt: LambdaShell - an experiment to gauge the security of serverless applications through a public bounty hunt is created. PureSec threat research team ends up #1st place, and the only participant to find a critical vulnerability and take down the site (DarkReading article)
- FunctionShield for Google Cloud Functions: as a result of market demand, we released FunctionShield support for Google Cloud Functions. Yet again, PureSec makes the first move in helping developers to control certain runtime security attributes in GCF, and helping make serverless apps more secure (Link)
- PureSec AWS Lambda protection Layer: At Re:Invent, AWS launched 2 ground-breaking capabilities - Lambda layers, and Runtime API. These features enable a lot of innovation and creativity, and allowed us to launch a new zero-overhead deployment experience for the PureSec serverless security platform (blog post)
- OWASP ServerlessGoat: there's no better way to learn about security than to experience it first hand. ServerlessGoat is a deliberately vulnerable AWS Lambda serverless application, which is simple to deploy and use. The project exposes developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices (OWASP project page)
- AWS Lambda Security Best-Practices eBook: our last contribution to the community is this eBook, which covers a lot of the security basics and will hopefully help organizations to adopt serverless with confidence (Link)
Final words for 2018
2018 was truly a remarkable year for serverless in general, and serverless security in particular. Serverless platforms evolved rapidly, frameworks matured, tooling and processes were developed and it's clear that serverless architectures became much more accessible and easy to adopt.
From a security point of view, 2018 introduced a huge change in mindset. Just a year ago, the few blog posts and articles related to serverless security concentrated on IAM permissions and 3rd party open source vulnerabilities - in December 2018, we already have our own Serverless Security Top 10 guide, serverless security platforms, hacking challenges (link), dedicated news articles and slack channels...but most importantly - we finish 2018 with the most important thing of all - serverless security awareness.