PureSec recently joined the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. As part of this new partnership with the CSA, we are pleased to announce the release of a new serverless security guide titled “The 12 Most Critical Risks for Serverless Applications”
The purpose of this document is to provide security guidelines for the design and implementation of serverless (Function-as-a-Service) applications. The guide includes design considerations focusing on identifying and mitigating risks, and mitigation recommendations with an emphasis on all major public cloud serverless platforms such as AWS Lambda, Azure Functions and Google Cloud Functions.
The guide is a result of a successful joint project between PureSec and CSA, with additional input and feedback from several dozens of serverless industry thought leaders, and is the most comprehensive effort to classify the potential risks for applications built on serverless architectures to date.
“As industry thought leaders in the serverless security space, many organizations turn to PureSec for advice and recommendations on how to design and build secure serverless applications. CSA felt that PureSec can provide the industry with outstanding insights and invited the company to join our alliance" said J.R. Santos, EVP of Research, Cloud Security Alliance.
The report was written for both security and development audiences dealing with serverless applications, and goes well beyond pointing the risks. It provides mitigations, best-practices and a comparison between traditional applications to their serverless counterparts.
The Top 12 Risks listed in the document are:
- SAS-01: Function event-data injection
- SAS-02: Broken authentication
- SAS-03: Insecure serverless deployment configuration
- SAS-04: Over-privileged function permissions and roles
- SAS-05: Inadequate function monitoring and logging
- SAS-06: Insecure third-party dependencies
- SAS-07: Insecure application secrets storage
- SAS-08: Denial of service and financial resource exhaustion
- SAS-09: Serverless business logic manipulation
- SAS-10: Improper exception handling and verbose error messages
- SAS-11: Legacy / Unused functions & cloud resources
- SAS-12: Cross-execution data persistency
In January 2018, PureSec released the world’s first Serverless Security Top 10 risks guide, which was well received by key players in the serverless industry and was covered by top news outlets such as Dark Reading and ZDNet. The report was based on preliminary data and feedback from serverless evangelists and thought leaders from leading companies.
Since this initial effort in 2018, serverless adoption has seen tremendous growth, providing access to more data regarding the ways organizations harness serverless, their approach to serverless development, and the most common recurring mistakes related to security and privacy of serverless applications. In addition, in the year that passed, new mitigation approaches have surfaced and became standardized, such as PureSec’s industry leading Serverless Security Platform, as well as new features offered by cloud providers, which can help with improving serverless security posture.