You might have come across terms like serverless functions, functions as a service (FaaS), lambda functions, Azure functions, cloud functions and serverless framework. Though they may have different functionalities, these terms all link back to one core concept: the serverless environment.
Serverless environments are cloud-native environments hosted and managed by cloud providers. Serverless is something of a misnomer, as servers are still involved in executing the program/application. So, there are still servers involved in the development and deployment of your project.
What the term “serverless” more accurately describes is that your direct development activities to execute the application are serverless.
When you use serverless environments, these server responsibilities are taken care of by the serverless environment — or cloud — provider. AWS, Azure and Google Cloud are some of the top vendors providing serverless environments for you to develop and host your serverless functions.
Failing to maintain security in your serverless environment can have a wide range of consequences, from resource depletion to malicious attacks. Therefore, the importance of security, specifically in serverless environments, is no less than in traditional server-based environments.
In this article, we’ll highlight some security risks that can arise in your serverless environments and explore how you can use Contrast’s security tools to keep your serverless environments safe.
Serverless environment security
Some issues that can arise from an improperly secured serverless environment include:
- Event injection — Serverless apps are typically built on an event-based architecture, and as such, serverless functions get invoked upon events. If a bad actor can find a vulnerability to inject manipulated data into the event, you can unknowingly execute a serverless function that can bring your whole application down and, in the most extreme cases, even take over the entire cloud account.
- Denial-of-service (DoS) attacks — Cloud resources such as lambda functions have some limitations. For example, they support up to 1,000 concurrent invocations of functions for the entire account and, therefore, the application. If a function turns out to have long execution times, intentionally or unintentionally, and there is no configuration set in place to limit that function, then a bad actor might find a way to execute the function (e.g., via application programming interface [API], S3, etc.) and can then DoS the entire application simply by continuous execution of a single function in parallel.
- Inclusion of vulnerable libraries — Functions typically consist of little custom code. But in order to support it, they usually have many third-party library dependencies. If your serverless function depends on an open-source library containing vulnerabilities, your application has a potential breach point. In general, relying on third-party tools and API calls creates room for vulnerabilities.
- Exposure of personally identifiable information (PII) — Misconfiguring your serverless functions, not securing the keys used by the functions or logging something sensitive in the logs could lead to the exposure of sensitive data like PII. If the function’s Identity and Access Management (IAM) keys are leaked, the impact could be disastrous, depending on the permissions assigned to that function. After scanning tens of thousands of functions, we’ve found that more than 90% of the functions have too many permissions set. About 60% of them have critical permissions set.
In addition to the security concerns listed above, there are some complexities involved with a serverless environment that you’ll need to navigate. One of the most prevalent is control limitations/constraints. These limitations are largely defined by your serverless provider and can have far-reaching impacts on how you develop.
Additionally, cloud providers limit your ability to manage your serverless functions. Because they manage the servers that enable your functions to execute, you can only do what the cloud provider has exposed and given the control to operate — even if you are the administrator maintaining all the serverless functions.
Serverless environments relieve you of duties related to managing and maintaining servers. This means your cloud provider plays an active role in keeping your environment — and application — secure.
However, maintaining security is a team effort. You, as the developer, are also responsible for ensuring that changes made before and after production don’t contain vulnerabilities. Because you’re most familiar with your system and are involved in the changes, your role is to implement and maintain security throughout the development of your serverless functions and into the release cycle.
Contrast developer tools
Contrast Security is a fast-growing security platform that offers various tools to help you secure your serverless environment from development to testing to after the production release. The following tools, all available with the united Contrast platform, allow you to find and fix security issues quickly and easily:
- Contrast Scan — Enables you to secure your application as you develop by analyzing source code for vulnerabilities.
- Contrast SCA — Enables you to secure your applications by identifying vulnerabilities reported in open-source libraries or third-party components used as part of the application.
- Contrast Assess — Enables you to analyze application security during testing.
- Contrast Serverless — Empowers you to secure your cloud native apps and serverless environments.
- Contrast Protect — Prevents your application from security breached during runtime.
Together, these tools help you monitor your serverless environment and application and different aspects of the application, from development to deployment.
Additionally, Contrast offers an easy-to-use graphical interface through which you could set up your serverless environment for security scanning in a few steps. In no time, you can get visibility to your entire serverless environment. It includes the relationship between your serverless functions and different cloud services/components used by the functions. You can find and fix security issues quickly and easily by displaying the security scan results in its UI.
Moreover, you can choose a particular serverless function that you’re interested in and can visually see the results from the security scan. If there are vulnerabilities due to open-source libraries included as part of dependency, if the serverless function violates the least-privilege policy or if any other vulnerabilities are detected, they’ll be reported and can be seen through the Contrast UI.
In addition to displaying least-privilege policy violations, Contrast’s UI suggests a solution in the form of policy settings that you can apply on the serverless function to remediate the reported issue. Such an approach is better for security and allows developers to be more involved in the serverless application development lifecycle.
Managing the security of your serverless environment is crucial, but it can be complicated. Because you’re working with a cloud provider, ensuring your application is secure is a responsibility shared between your provider and you.
Contrast provides features to secure your serverless environments in a highly productive and cost-effective manner. With Contrast's easy-to-use serverless UI, powerful and informative security scan reports, and understandable graphs, you can secure your serverless environment without worrying about the risks that open-source security tools can bring.
Additionally, Contrast supports your serverless application’s security from development through deployment, making it easy to spot and prevent issues as they arise. To work safely with serverless, check out Contrast Security and keep your serverless environments — and applications — secure.