Serverless Security Threats

While the motivations of attackers remain the same, the tactics they will use with serverless applications must change. Following are some of the serverless security threats unique to this new application architecture.

The Threat of Over-Privileged Functions

With serverless apps, you have the opportunity to apply privileges to individual functions, and ensure such privileges are restricted to only the smallest scope necessary. This can enables you to significantly minimize your attack surface as well as mitigate the impact of any attack.

Unfortunately, recent research from Protego Labs found that the vast majority of developers are not taking advantage of this opportunity. Our research discovered that 98 percent of functions in serverless applications are at risk, with 16 percent considered “serious.” Additionally, most of these functions are provisioned with more permissions than they require which could be removed to improve the security of the function and the application.

When analyzing functions, Protego assigns a risk score to each function. This is based on the posture weaknesses discovered, and factors in not only the nature of the weakness, but also the context within which it occurs. After scanning tens of thousands of functions in live applications, we found that most serverless applications are simply not being deployed as securely as they need to be to minimize risks. The greatest security posture issues Protego uncovered are unnecessary permissions, while the remainder are with vulnerable code and configurations.

The Groundhog Day Attack

The fact that serverless functions are ephemeral and short lived makes it more difficult for attackers to persist in your apps long term. And this is one of the many security advantages of serverless. However, simply because this makes life more difficult for attackers doesn’t mean they will stop attacking, they simply change strategy.
The short duration of serverless functions means that serverless security threats may change shape. Attackers may craft a much shorter attack that just steals, for example, a few credit card numbers. This single round of the attack is then repeated in what we refer to as the “Groundhog Day” attack.

Poisoning the Well

Despite the short lifespans of cloud-native resources, attackers can still find ways to get long-term persistence in your app. One way attackers can circumvent the ephemerality of serverless apps is an upstream attack, or “Poisoning the Well.”

Cloud-native applications tend to comprise many modules and libraries with code from a variety of third-party sources. Attackers work to include malicious code in common projects. Then, after poisoning the well, the malicious code in your cloud apps can call home, get instructions, and wreak havoc.

Increased Time for Serverless Security Configuration

While this isn’t precisely a security “threat,” it is more a challenge and possible hindrance to your efforts to secure your serverless architecture.
Serverless conveys the benefit of increased application development velocity. Unfortunately, the traditional approach to security, where developers write code and package workloads, and security operations then puts security controls around those workloads, just won’t work for serverless.

If developers must wait on security to open ports, IAM roles, or security groups for them, the benefit of increased velocity can be quickly eroded. Too often, the solution is to remove SecOps from the equation, which could indeed be a risk.

On the other hand, configuring permissions for the myriad serverless resources and interactions between them is a time consuming task. And ‘spending’ developers’ time on that security configuration can quickly get expensive, as well as being not the ideal use of their time. Leveraging automation, such as the Protego Platform, can increase serverless security without devoting excessive amounts of developer time.

Increased Time for Security Processing

Another benefit of serverless is that you pay only for what you actually consume, which can result in reduced costs. But paying for precisely what you use means that any increases in processing time will increase costs.

Placing an excess of app sec configuration in your app could potentially add extra work to your functions, which can increase costs. While adding processing time for the sake of security is a wise investment, it must be implemented properly to avoid excessive, unnecessary cost increases.

Similar to the above Increased Time for Serverless Security Configuration, it’s not exactly a threat but more a challenge you’ll have to tackle while securing your serverless architecture.

OWASP Serverless Top 10

On November 8, 2018, The Open Web Application Security Project (OWASP) released the official OWASP Serverless Top 10 project initiated by Protego Labs. Read more about each of the 10.


Read more in our Serverless Security Guide to learn why serverless security is different, and why traditional AppSec tools are inadequate and less relevant.