Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/21/2018
11:15 AM
Guy Podjarny
Guy Podjarny
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Serverless Computing Reshapes Security

The new division of responsibility moves some security concerns off a business's plate while changing priorities for other risks.

Serverless computing is an exciting new approach in the world of cloud infrastructure that lets developers write small code functions and publish them to the cloud, where the platform runs them on demand. This new model overhauls many aspects of operations and unlocks opportunities for cost reduction, and large and small organizations are trying it out.

Alongside its operations impact, serverless computing and its underlying function-as-a-service (FaaS) platform also carry significant security implications. The new division of responsibility moves some security concerns off a business's plate while simultaneously magnifying or shuffling priorities for other risks.

Risks You Can Worry About Less
First and foremost, serverless computing, as its names implies, lowers the risks involved with managing servers. While the servers clearly still exist, they are no longer managed by the application owner, and are instead taken care of by the cloud platform operators — for instance, Google, Microsoft, or Amazon. Efficient and secure handling of servers is a core competency for these platforms, and so it's far more likely they will handle it well.

The biggest concern you can eliminate is  addressing vulnerable server dependencies. Patching your servers regularly is easy enough on a single server but quite hard to achieve at scale. As an industry, we are notoriously bad at tracking vulnerable operating system binaries, leading to one breach after another. Stats from Gartner predict this trend will continue into and past 2020. With a serverless approach, patching servers is the platform's responsibility.

Beyond patching, serverless reduces the risk of a denial-of-service (DoS) attack. No server management also means no capacity management, as FaaS automatically provisions ad hoc servers to meet incoming demand. Such optimal scaling reduces the chance of an outage, including one attempted deliberately through a DoS attack. Attacks trying to take down a server will be stopped, as the platform kills the crippled server within seconds alongside launching new ones for new clients. Serverless computing won't help against a high-volume distributed DoS attack, but the risk and damage of a DoS attack is greatly diminished.

Lastly, FaaS offers an opportunity to apply fine grain permission control. Each deployed function has to be granted explicit access to data, services, and other functions, and similar policies control who can invoke each function in the first place. Since functions are smaller than full applications, we can greatly reduce the number of code paths that access our sensitive data, as well as reduce the damage an attacker can do following a successful exploit. This granularity offers a great security opportunity, but it requires additional effort in configuring and maintaining such accurate policies.

The Risks That Bubble to the Top
Unfortunately, every architecture has its flaws, and serverless computing also triggers an increase in certain risks, caused by the statelessness and flexibility that also make it shine. In addition, by mitigating the above concerns, serverless computing draws attacker attention to other attack vectors, which remain open.

The first concern to grow with FaaS is the moving and storage of data. Since serverless forces all functions to be stateless, sensitive cached data, such as user sessions and negotiated keys, cannot be kept in memory and must be moved and stored in an external location. Moving the data risks leaking it in the process, and storing the data elsewhere requires security controls on the new database, and may have compliance implications as well. These data concerns are not new ones, but since data is moved and stored more often, the risk of a security failure grow.

Beyond data, serverless apps also make greater use of third-party services. Due to its event-driven nature, as well as the mentioned requirement that functions remain stateless, serverless applications rely more heavily on third-party services than typical apps. These services may be offered by the cloud platform itself or by external providers, and range from authentication to storage to email and messaging services. Each interaction with a third party needs multiple security controls, and the eventual dependency chain carries the risk of being as strong as its weakest link.

This third-party risk also applies to software, in the form of vulnerable open source libraries. Similar in nature to server dependencies, vulnerable application dependencies can cause serious harm, as demonstrated in Equifax being breached through a vulnerable Java library. Functions make heavy use of these libraries, most commonly pulled from npm and PyPI, and many FaaS platforms fetch them as part of their built-in provisioning. The platforms do not, however, manage these dependencies, which means you must monitor for known vulnerabilities in application dependencies yourself to remain secure.

Last but not least, a serverless approach increases your attack surface. Breaking up your applications into small functions allows for great flexibility as you combine functions in different ways but also exposes great risk. Functions may be invoked in many different execution sequences, and they can't rely on input validation, authorization, or similar controls to have already happened. To properly secure a FaaS application, make sure each function maintains its own perimeter, and invest in security libraries and processes that help make such defense in depth easier.

Is Serverless Better for Security?
Serverless computing offers an incredible opportunity accelerating the pace we develop applications while dramatically reducing the cost of operating them. With the powerful benefits it brings to the table, it seems clear it is here to stay, and its adoption will rapidly grow.

Like many things, a serverless approach doesn't clearly improve or worsen security; it simply changes priorities. Notably, it reduces the security concerns revolving servers and raises the ones related to applications. In a serverless context, worry less about capacity planning and server dependencies and more about moving data, applying permissions, and managing vulnerable application dependencies.

By adjusting our priorities and focusing on these updated concerns, we can make the reduction of servers lead to a reduction of risk.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 security track here. Save $200 off your conference pass with Promo Code DR200.

 

Guy Podjarny is CEO & Co-Founder at Snyk.io, focusing on securing the Node.js and npm world. Guy was previously CTO at Akamai, founded Blaze.io (acquired by Akamai), helped build the first Web app firewall and security code analyzer, and was in the Israeli army cyber units. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
CVE-2019-16768
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
CVE-2012-1105
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
CVE-2019-16769
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...