Did you know that more than one-in-five serverless applications contains critical security vulnerabilities?
In an evaluation of 1,000 open-source serverless projects, the PureSec threat research team revealed that 21% of them contained one or more critical vulnerabilities or misconfigurations, allowing attackers to manipulate applications and perform various malicious actions.
According to the audit, most vulnerabilities and weaknesses were caused by copying and pasting insecure sample code into real world projects, poor development practices, and lack of serverless education. Six percent of the projects even had application secrets, such as API keys or credentials, posted in their publicly accessible code repositories.
Our infographic below highlights some key results:
The percentage of vulnerabilities discovered was consistent across runtime languages, with the exception of DotNet projects that experience significantly higher levels of vulnerabilities. With the choice of runtime ruled out as a factor, human error was left as the cause for the vulnerabilities.
Using PureSec’s SSRE, all the vulnerabilities discovered in the audit above would have been blocked and mitigated during runtime, or and also detected and fixed through the PureSec CI/CD integrated code and configuration scanning.
For a closer look at the types of vulnerabilities discovered by Puresec, check out our "SERVERLESS SECURITY TOP 10 MOST COMMON WEAKNESSES GUIDE"
Interested to join our beta program? Sign up here.