PureSec disclosed on July 24 that it reported a pair of vulnerabilities in the Apache OpenWhisk serverless runtime that potentially could have left users at risk. Apache OpenWhisk is an open-source project that serves as the basis for the IBM Cloud Functions service as well. The two flaws—CVE-2018-11756 and CVE-2018-11757—could have enabled a remote attacker to overwrite the source code of a vulnerable function.
PureSec exits Beta to secure serverless code July 19th 2018
"You might think that a process that lasts only milliseconds wouldn’t be subject to conventional kinds of attacks, but the fact is serverless functions are designed to take human checks and balances out of the equation", says company co-founder Ory Segal, and if you don’t set up the functions correctly you could be vulnerable.
Today we are announcing general availability of our serverless security platform. We would like to thank all of our design partners and beta customers for supporting us since we started building our product in October 2016. The PureSec Serverless Security Platform provides comprehensive threat protection for serverless architectures. Since the beta program launched in April 2018, we are already protecting customers with more than 2.5 billion monthly serverless function executions.
The attack has yet to be discovered in the wild, but the proof-of-concept executed by PureSec should be enough to give anyone using serverless computing in the cloud cause for concern: A successful attack would leave an affected organization with a massive bill for all the resources used by the crypto hijacker.
"We are excited to partner with PureSec on securing Serverless applications," said Nir Mashkowski, Microsoft's Director of Program Management for Azure Functions. "Defending apps can be a challenging in the new, serverless paradigm. We've worked closely with the PureSec team to ensure their solution is tightly-integrated with Azure Functions, so while Microsoft secures the underlying infrastructure, PureSec's SSRE secures the application layer."
PureSec's software offers those running serverless code – whether you call it an application or a function – the ability to detect and mitigate common app vulnerabilities, such as injection attacks, path traversal attacks, misconfigured resources, dependency bugs, and exposed secrets, among others, in real time.
More than 20% of open-source serverless applications contain critical security vulnerabilities, according to an audit by PureSec. An evaluation of 1,000 open-source serverless projects revealed that 21% of them contained one or more critical vulnerabilities or misconfigurations, which could allow attackers to manipulate the application and perform various malicious actions.
"More than one in five serverless applications contains critical security vulnerabilities according to an audit by PureSec, the leading serverless security company. Revelation comes as Puresec Launches First Serverless Security Runtime Environment for AWS Lambda"
“We are extremely excited to be the winners and leaders of this emerging category. We see it as a testimony that the industry realizes serverless architectures mandate a new approach for application security, one that is 100% serverless and was designed specifically for serverless applications from the ground up. PureSec is proud to set the standard and lead this category.
In order to continue to do so, we are launching today the first State of Serverless Security Survey. We call the industry to take part in the survey and contribute to the effort to bring data and best practices to the Serveless space.We will share the results in a comprehensive report later this year”.
Dark Reading: "Where to Find Security Holes in Serverless Architecture" January 18th 2018
"Serverless architectures take away business responsibility for server management, but security should still be top of mind. Application security is getting a twist with the rise of serverless architectures, which introduce a new way of developing and managing applications - and a new wave of related security risks. Businesses are looking to serverless architectures to drive simplicity and reduce cost. Applications built on these platforms scale as cloud workloads grow, so developers can focus on product functionality without worrying about the operating system, application server, or software runtime environment, explains Ory Segal, PureSec CTO"
"Tel Aviv, Israel-based startup PureSec emerged from stealth mode on Wednesday with a security platform designed for serverless architectures and a guide that describes the top 10 risks for serverless applications. Founded by Shaked Zin (CEO), Avi Shulman (VP of R&D) and Ory Segal (CTO), PureSec raised $3 million in May 2017 in a seed round led by TLV Partners. PureSec’s product is powered by the company’s Serverless Security Runtime Environment (SSRE) technology, which provides a trusted and safe environment for serverless functions."
ZDNet: "The top 10 security challenges of serverless architectures" January 17th 2018
"Serverless architectures, also known as function as-a-service (FaaS), are used in the enterprise to both build and deploy software and services without the need for in-house physical or virtual servers. This kind of architecture has proven popular due to inherent scalability and compatibility with cloud services and includes AWS Lambda, Azure Functions, Google Cloud Functions, and IBM BlueMix Cloud Functions.However, as noted in a new report by PureSec, it is not immune to the security issue, which impact more traditional server-based systems. On Wednesday, the serverless architectures security firm released a new report detailing the most common security issues and challenges facing these systems today."
“After researching serverless architectures for months, working with partners and customers and collecting feedback from serverless aficionados, we compiled this top ten list to help organizations with adopting this new and promising technology, while staying secure.” Said Segal. “This document will be an ongoing effort, which will evolve over time as we collect more intelligence and knowledge on the risks involved with serverless architectures”.