AcademyWhat is the OWASP Serverless Top Ten?

What is the OWASP Serverless Top Ten?

The Open Web Application Security Project (OWASP) is an online community of application security experts producing resources that are globally recognized as a secure foundation upon which to build modern applications. The OWASP Top 10 has become a security standard for web application development, representing the consensus of the most critical security risks to web applications.

Wiz Experts Team

Below, we review the top ten vulnerabilities for serverless, which aims to provide consumers with an overview of the most critical security considerations for the deployment of serverless technologies as well as basic techniques to mitigate associated risks.

The Serverless Top Ten

Using serverless technology means not needing a server to host applications and services. It also means taking advantage of the shared responsibility model and letting cloud providers take care of some of the security threats on our behalf, as well as enjoying reduced costs as serverless only runs when needed, and consistent performance owing to dynamic scaling with demand.

The weak link in the serverless chain is the application code. If insecure code is run in a serverless environment, the risks are identical to physical servers or virtual machines. Application-level attacks and exploits remain entirely possible. The OWASP serverless top ten looks at attack vectors and security vulnerabilities as well as the business risks of a successful serverless exploit, and impact should those risks be realized. As you will see, some mitigation techniques are similar to those used for physical assets and virtual machines in the cloud, while others are designed specifically for serverless applications.

  1. Injection: The injection attack surface increases in serverless applications, and with it the severity of the vulnerability. No longer is an API call the only route into an application, with serverless functions triggered by Emails, SMS, IoT, and many more. Scripts designed to exploit this vulnerability will be targeted at your code rather or exposed secrets, and success could grant an attacker the permissions the serverless function has to cloud storage, as well as other systems and services.
    Prevent it by whitelisting input validation, as well as trusted sources and resources, running functions using the principle of least privilege, and using runtime defense solutions to monitor and prevent attacks.

  2. Broken Authentication: Serverless sees one authentication flow replaced by a number of functions running separately. Attackers are likely to target public cloud storage or open APIs, as well as using spoofed emails to trigger functions without authentication. Access without authentication can result in data leakage, as well as disruption to business services.
    Prevent it by using cloud vendor-provided authentication solutions, using federated services where possible, as well as encrypting channels, using certificates, and managing passwords and keys effectively.

  3. Sensitive Data Exposure: Compromised keys, man-in-the-middle attacks, and stealing unencrypted data apply equally to serverless environments as they do to traditional architectures, but the target changes from the server to cloud storage and databases. Exposed secrets, source code, and /tmp directories provide a rich opportunity for the malicious actor. Prevent it by identifying and classifying data, minimizing the storage of sensitive data, using strong encryption as well as HTTPS for endpoints, and managing passwords and keys effectively.

  4. XML External Entities (XXE): XML processors may present XXE vulnerabilities, with older implementations allowing URIs that are evaluated and dereferenced during processing. Compromise here could lead to function code or sensitive data leakage.
    Prevent it by using cloud-vendor SDKs, scanning your supply chain for known vulnerabilities, testing for XXE vulnerabilities in API calls, and disabling entity recognition.

  5. Broken Access Control: Stateless serverless architectures composed of multiple microservices provide a greater attack surface for an attacker. Over-privileged functions, if compromised, could permit unauthorized access to resources, which could lead to data loss or loss of service. Prevent it by following the principle of least privilege, automating permission configuration, and followingcloud security best practices.

  6. Security Misconfiguration: Unlinked triggers, unencrypted files, and misconfigured functions with long timeouts or low concurrency limits as well as exposed secrets represent easy routes in for the attacker. Compromise could mean data loss, financial impact, DDoS, and reputational damage.
    Prevent it by regularly scanning accounts for public resources, checking functions for unlinked triggers, setting timeouts, and using automated tools to detect misconfiguration.

  7. Cross-Site Scripting (XSS): XSS attack sources increase in serverless. Where previously a database was likely to be the origin of such a compromise, in serverless it could be any function trigger. This could lead to identity compromise, and onward to unauthorized access based on permissions granted.
    Prevent it by encoding all untrusted data before transmission to a client, and using known frameworks and headers.

  8. Insecure Deserialization: Use of dynamic languages like Python with serialized data types may make deserialization attacks more common in serverless implementations. This may result in arbitrary code being executed that leads to data leakage or account control.
    Prevent it by validating serialized objects and enforcing type constraints, review third-party libraries for vulnerabilities, and monitor for possible attacks.

  9. Using Components with Known Vulnerabilities: Vulnerabilities introduced via the supply chain is a common risk in a world where third-party library use is commonplace. Targeting vulnerable code can provide an attacker with an entry point, ‘poisoning the well’ and enabling upstream attack. Once compromised, the attacker need only wait for the code to be used by cloud applications. This is widespread, with a lack of awareness of components in use widespread, and some of the largest breaches reported have originated in known vulnerabilities.
    Prevent it with continuous vulnerability scanning of local and third-party locations using commercial tools, tracking dependencies, and limiting repository access to an approved list.

  10. Insufficient Logging and Monitoring: Malicious actors thrive in the absence of monitoring and incident response. The lack of logging and monitoring can allow attackers to roam free, permitting them time to achieve their goals as well as preparing for future attacks.
    Prevent it by using monitoring tools provided by your cloud vendor to detect unusual behaviors, and deploy a logging and monitoring solution to cover the areas beyond the core cloud technologies.

Securing Serverless Environments

Securing serverless environments calls for a continuous vulnerability scanning and configuration management solution that protects the application lifecycle from source code to end-of-life. Wiz provides automated vulnerability scanning of PaaS, virtual machines, containers, and serverless functions, scaling to your cloud environment without performance impact.

Continue Reading

Moving from DevOps to DevSecOps

New security vulnerabilities are emerging every day, and organizations are looking for ways to build security into existing workflows to maximize their security posture and efficiency. DevOps + Security = DevSecOps, ensuring end to end protection of the software development life cycle (SDLC), and enabling the delivery of secure products to market in less time, in an environment in which security is everybody’s responsibility.

Managing Supply Chain Risks in CI/CD Pipelines

Software dependency security risks are an important consideration for modern applications and services, many of which use open-source components. Any software product using open-source components is reliant on third-parties to build software free of weaknesses or malware. The open-source community relies on its own trust model, with its users building external libraries into their source code and being responsible for their integrity and security.

Container security: best practices for vulnerability management

Containerization has become popular with organizations worldwide thanks to the simplicity of the approach, as well as its development efficiencies and quick deployment times. While the development community embraces containerization to help them get solutions to market more quickly, security teams are concerned with the integrity of the deployment mechanism, and the overall risk profile.

Why Automation Is Critical When Choosing a Cloud Compliance Platform

Compliance is getting harder, and the complexity of the cloud can make it both difficult and expensive to manage. Your organization needs to consider compliance through many lenses - data protection, data localization and sovereignty, interception, and access to information, as well as regional and industry-specific regulations.

What is a Cloud Access Security Broker (CASB)?

CASBs play a critical role in providing visibility into how businesses use the cloud. They enforce security and governance rules to mitigate the risk that cloud services or SaaS apps could become weak links in an organization’s security posture. Without a CASB, you may not know which applications, services, and data your business has exposed in cloud environments. How would you know if those resources are secure if you don’t know they exist?