Serverless computing has become the fastest-growing segment in the cloud services market. The benefits are clear and significant: cost savings and lower operational overhead, giving development teams full control over code and flexibility in the infrastructure.
This also means that, in terms of security, developers and DevOps teams are now front and center, taking on vulnerability management and patching for both first and third-party libraries. Depending on the level of maturity, enterprise security teams use either traditional controls or cloud security posture management (CSPM) to protect serverless functions. While attempting to solve a portion of the problem, these approaches often leave significant security holes and management challenges.
Although traditional perimeter-based security methods such as Web Application Firewalls (WAF) are effective in protecting against incoming threats, such as the OWASP Top 10, they do not cover all entry points to the serverless function. For starters, not all serverless functions serve web applications, and while accessing sensitive resources, they are not necessarily public facing. This opens up the possibility of Server Side Request Forgery (SSRF) attacks, which result in malicious onward attacks that appear to originate from the organization hosting the vulnerable application. Imperva is a market leader in WAF but serverless functions require a different approach to security.
Another common approach to securing serverless environments is using insights from a CSPM tool. While this is partially effective in identifying vulnerabilities, mitigating them often requires manual code and configuration changes. This increases time-to-market and takes valuable resources from development teams who could otherwise work on features that add value or generate revenue. Additionally, these tools are often ineffective at detecting vulnerabilities that have not yet made it to a vulnerability database, leaving functions susceptible to zero-day attacks.
So what does mitigate attacks in serverless environments?
Going beyond visibility
The ability to not only detect, but block vulnerabilities from first and third-party code is crucial to managing a secure serverless environment at scale. A monolithic application often breaks up into hundreds of serverless functions, owned and reused by several teams. The ability to automatically mitigate, without code changes, is the difference between being stuck with a long vulnerability backlog and a secure serverless environment.
Deny by default
With the increase in supply chain attacks, it’s important to enforce zero trust, in and outside of the network. One key advantage of serverless functions is their modularity. This means a function is really just supposed to perform its tiny little process and pass the relay to the next service, making a positive security model much easier to implement and enforce, compared to monolithic applications, which constantly go through various changes.
Full visibility of the attack surface, and context of each event, gives developers and DevOps teams the ability to proactively defend against weaknesses in serverless functions.
Imperva Serverless Protection is fully integrated into AWS Lambda and can be quickly deployed to secure your serverless environment. What’s more? It’s available for free for the remainder of 2021. Request access by clicking here.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.