Serverless frameworks have become the next big thing in application development, allowing companies to release new features and functionality while focusing on innovation, rather than managing servers and machines.
With that, new types of risks and attacks are emerging. Serverless frameworks are definitely not less secure by default, in fact, the opposite is true. However, these are highly distributed and highly scalable frameworks and as such the security risks in serverless are different, which means organizations need to adapt and adopt a different mindset towards security.
Security in serverless becomes a bit complicated, especially if done manually, as the attack surface changes into a large number of small micro-services and functions that speak to multiple 3rd party providers at times. These applications can be attacked in different ways, and as we covered in the previous critical risks for serverless applications – there are a number of factors that are imperative for serverless application’s security.
The major change in serverless frameworks is the code-centric approach it requires. In order to protect serverless applications, there needs to be a security tool in place which properly and thoroughly understands code, rather than sticking to traditional monolithic AppSec approaches such as WAFs around the application.
Cloud providers will provide a robust, reliable, and secure platform. They will also provide a set of tools such as authentication, policy enforcement, and auditing, that can be used as part of the solution. They will not, however, provide actual enforcement that an application can only do what it was designed to do, and cannot be abused or attacked. So protection of a serverless application must focus on what security can be installed in and around the application. Other elements, such as network security, may still play an overall role in securing cloud infrastructure but will provide little value in protecting the application and its data. Additionally, serverless is more than just Function as a Service (FaaS). FaaS is the key compute resource type for serverless applications, and many attacks focus on subverting these functions.
An interesting serverless application hacking method we recently played with is a Voice-Command SQL injection. Our head of security and ethical hacker, Tal Melamed, realized that he could hack an unprotected application that is voice-enabled (in this instance he used Amazon’s Alexa) through a basic command – and was able to extract sensitive information he was unauthorized to access. These applications could range from financial applications to utility bills.
Another major element in serverless applications attacks are the 3rd party providers we mentioned above. Serverless functions speak to multitude 3rd party providers through API calls, which could become a vulnerability if security configurations are not done right.
To summarize, serverless applications require a true code-centric approach to truly be protected. With the different risks, there is a real opportunity for a better and extremely granular security to be applied. For that, a security solution that can really understand what code should do and can do is imperative.