Having spent the last year and a half evangelizing serverless security and explaining how PureSec can help organizations with securing their serverless applications, it dawned on me that many people don’t have a clear understanding as to what really needs to be secured, and what is the problem we are trying to solve.
You can’t really blame folks for struggling to keep up with technological advancements and the myriad of security product categories that pop up every other week. It’s true that many such products are redundant or superfluous - products that try to solve the exact same problem, over and over again, but from a slightly different angle.
However, from time to time, one stumbles upon a real need - an actual challenge that requires a completely new approach or solution.
I was lucky enough to be a member of the original team that developed the world’s first Web Application Firewall (Sanctum AppShield) back at the end of the 1990’s. The moment I was introduced to the concept of web application security (we actually called it “web perversion” back then...), I knew that there was a real need for something completely new - something that no other product or technology could solve.
I even got luckier in 2000, when my team developed the world’s first automated web application security scanner (AppScan). Yet again, the need for a new category of products was crystal clear to us - there was no other technology capable of automatically detecting vulnerabilities in web applications.
And then, luck stroke for the third time as I joined Akamai to help develop what was the world’s first cloud-based WAF - a concept that raised many eyebrows, especially among folks who couldn’t get past the on-premise appliance barrier. Akamai had the right idea at the right time. In fact, many say that the Cloud-WAF model is actually what turned a once stagnating industry with a single leader, into a billion dollar industry with dozens of legitimate vendors (check out Gartner’s WAF Magic Quadrant)
Let’s fast forward back to today.
With the dramatic rise in the adoption of serverless architectures, it is again clear that we are facing a new challenge.
Just like with any other type of software, serverless functions may be vulnerable to application layer attacks. If serverless functions contain vulnerabilities, malicious users and hackers will quickly find and exploit them in order to tamper or steal sensitive data, damage the application, deny service from other users and so forth. The risk is the same risk. But the premise changed dramatically.
We, the developers and owners of serverless applications, have no ability to deploy the traditional application security protections we’ve been using for the past 20 years. We are no longer in control of the infrastructure on which our applications run, that used to host all traditional application security protections. But at the same time, we are still very much responsible for securing our own applications from hackers - and committed to delivering secure and reliable applications for our own customers.
Securing the application layer in a serverless world is the next frontier that requires a new approach.
As pioneers in the world of serverless security, we at PureSec asked ourselves this important question:
“What makes a good serverless security solution?”
Based on decades of experience in the cybersecurity and application security industry and hundreds of hours spent learning about the needs, environments and serverless security challenges of our design partners, we formulated the six principles of a good serverless security solution. These principles do not dictate a specific technology for solving the problem, but they can be considered as key requirements that must exist in any good serverless security solution.
The 6 principles are(the complete guide includes more verbose description of each principle):
- A good serverless security solution is serverless
- A good serverless security solution is platform and environment agnostic
- A good serverless security solution is future-proof
- A good serverless security solution is high-performing and lightweight
- A good serverless security solution provides high accuracy without compromising security
- A good serverless security solution is low touch and unobtrusive to users
Since no traditional application layer protection technology can be deployed in serverless environments (see my “Securing Serverless” blog series for an in-depth explanation), and since no existing product fulfilled all six principles mentioned above, we defined a brand new category of application security solutions that provide the best, most suitable security protection for serverless architectures.
We named it “Serverless Security Runtime Environment,” or SSRE for short.
An SSRE is a trusted, secure execution environment for serverless functions. It generates a runtime environment that protects serverless functions from external malicious activity while also protecting the applications that contain the serverless function. SSRE provides platform agnostic “secure once, run anywhere” application layer protection that never requires re-applying security when a function moves to a new serverless environment. It offers a high level of visibility into function execution so organizations can perform effective security event analysis. An SSRE is lightweight, fast and proportional to the functions it protects. And most importantly, An SSRE is serverless.
We trust that these 6 principles will guide you when coming to evaluate solutions for securing your serverless application against application layer attacks.
Download the complete 6 principles guide here: (link)