OWASP Serverless Top 10 #9: Using Components with Known Vulnerabilities
Serverless functions are usually small and used for micro-services. To be able to execute the desired tasks, they make use of many dependencies and 3rd-party libraries. Vulnerability introduced by the supply chain is one of the most common risks these days and attackers will target code that makes use of vulnerable libraries as an entry point to the application. This can result in what we refer to as ‘Poisoning the Well’.
Security Weakness and Impact
This issue is very widespread. Component-heavy development patterns can lead to development teams not even understanding which components they use in their application or API, much less keeping them up to date. Dependency scanners can help in detection, but determining exploitability requires additional effort.
Most of the known vulnerabilities contain their full specifications, which helps determining their business impact as well as other information. While most known vulnerabilities have a low impact, or not actually used by the code, some of the largest breaches to date have relied on exploiting known vulnerabilities in components.
The fact that each function brings a whole army of new code to the serverless application, makes the likelihood for (known) vulnerabilities higher.
How to Prevent
Like any facet of cybersecurity, securing serverless applications requires a variety of tactics throughout the entire application development lifecycle and supply chain. However, since vulnerable dependencies are the same risk as in traditional applications, most of the best practices are still relevant:
- Continuously monitor dependencies and their versions throughout the system.
- Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component.
- Continuously monitor sources like CVE and NVD (e.g. https://nvd.nist.gov/vuln/) for vulnerabilities, or platform based advisories like NodeSecurity, PyUp, OWASP SafeNuGet, etc.
- It is recommended to scan dependencies for known vulnerabilities using tools such as OWASP Dependency Check and Dependency Track or commercial solutions.