The Current Gap Between Serverless and Security
While serverless environments present some advantages when it comes to security, there are also some unique challenges:
Because legacy AST tools were not designed for the unique nature of serverless applications, they cannot provide fast or accurate testing results. Legacy AST tools have poor visibility into serverless architectures due to “no-edge blindness”—functions don’t have a public-facing endpoint or URL. Abstraction of the infrastructure, network, and virtual machines provides zero context for traditional tools to reference. This reduces the accuracy of testing results—upwards of 85% of alerts turn out to be false positives. And while some vendors may tout static scans for serverless applications, scanning code with zero context is not a true or effective serverless AST solution.
Using traditional AST solutions for serverless applications also requires complex evaluation and tuning by security experts—which slows down deployment. Security testing operations may also require manual intervention by security and development teams—triage and analysis of results due to high rates of false-positive alerts. These barriers make it very difficult for traditional application security tools to scale with the rigorous demands of serverless development processes.
Purpose-built Security for Serverless Applications
Contrast Serverless Application Security—Solution Features
Deployment and Management
Contrast Serverless “Functions” shows detailed per-function summaries
Contrast Serverless “Results” includes contextual remediation guidance
Settings. After the initial solution setup, users can always make additional changes to adjust their inventory and scan controls as needed. For example, a subset of the AWS account can be set up to work with Contrast Serverless Application Security. Application security teams can also configure which security scans run continuously for every change.
Contrast Serverless “Settings” allows for solution customization