Below, we review the top ten vulnerabilities for serverless, which aims to provide consumers with an overview of the most critical security considerations for the deployment of serverless technologies as well as basic techniques to mitigate associated risks.
The Serverless Top Ten
Using serverless technology means not needing a server to host applications and services. It also means taking advantage of the shared responsibility model and letting cloud providers take care of some of the security threats on our behalf, as well as enjoying reduced costs as serverless only runs when needed, and consistent performance owing to dynamic scaling with demand.
The weak link in the serverless chain is the application code. If insecure code is run in a serverless environment, the risks are identical to physical servers or virtual machines. Application-level attacks and exploits remain entirely possible. The OWASP serverless top ten looks at attack vectors and security vulnerabilities as well as the business risks of a successful serverless exploit, and impact should those risks be realized. As you will see, some mitigation techniques are similar to those used for physical assets and virtual machines in the cloud, while others are designed specifically for serverless applications.
Injection: The injection attack surface increases in serverless applications, and with it the severity of the vulnerability. No longer is an API call the only route into an application, with serverless functions triggered by Emails, SMS, IoT, and many more. Scripts designed to exploit this vulnerability will be targeted at your code rather or exposed secrets, and success could grant an attacker the permissions the serverless function has to cloud storage, as well as other systems and services.
Prevent it by whitelisting input validation, as well as trusted sources and resources, running functions using the principle of least privilege, and using runtime defense solutions to monitor and prevent attacks.
Broken Authentication: Serverless sees one authentication flow replaced by a number of functions running separately. Attackers are likely to target public cloud storage or open APIs, as well as using spoofed emails to trigger functions without authentication. Access without authentication can result in data leakage, as well as disruption to business services.
Prevent it by using cloud vendor-provided authentication solutions, using federated services where possible, as well as encrypting channels, using certificates, and managing passwords and keys effectively.
Sensitive Data Exposure: Compromised keys, man-in-the-middle attacks, and stealing unencrypted data apply equally to serverless environments as they do to traditional architectures, but the target changes from the server to cloud storage and databases. Exposed secrets, source code, and /tmp directories provide a rich opportunity for the malicious actor. Prevent it by identifying and classifying data, minimizing the storage of sensitive data, using strong encryption as well as HTTPS for endpoints, and managing passwords and keys effectively.
XML External Entities (XXE): XML processors may present XXE vulnerabilities, with older implementations allowing URIs that are evaluated and dereferenced during processing. Compromise here could lead to function code or sensitive data leakage.
Prevent it by using cloud-vendor SDKs, scanning your supply chain for known vulnerabilities, testing for XXE vulnerabilities in API calls, and disabling entity recognition.
Broken Access Control: Stateless serverless architectures composed of multiple microservices provide a greater attack surface for an attacker. Over-privileged functions, if compromised, could permit unauthorized access to resources, which could lead to data loss or loss of service. Prevent it by following the principle of least privilege, automating permission configuration, and followingcloud security best practices.
Security Misconfiguration: Unlinked triggers, unencrypted files, and misconfigured functions with long timeouts or low concurrency limits as well as exposed secrets represent easy routes in for the attacker. Compromise could mean data loss, financial impact, DDoS, and reputational damage.
Prevent it by regularly scanning accounts for public resources, checking functions for unlinked triggers, setting timeouts, and using automated tools to detect misconfiguration.
Cross-Site Scripting (XSS): XSS attack sources increase in serverless. Where previously a database was likely to be the origin of such a compromise, in serverless it could be any function trigger. This could lead to identity compromise, and onward to unauthorized access based on permissions granted.
Prevent it by encoding all untrusted data before transmission to a client, and using known frameworks and headers.
Insecure Deserialization: Use of dynamic languages like Python with serialized data types may make deserialization attacks more common in serverless implementations. This may result in arbitrary code being executed that leads to data leakage or account control.
Prevent it by validating serialized objects and enforcing type constraints, review third-party libraries for vulnerabilities, and monitor for possible attacks.
Using Components with Known Vulnerabilities: Vulnerabilities introduced via the supply chain is a common risk in a world where third-party library use is commonplace. Targeting vulnerable code can provide an attacker with an entry point, ‘poisoning the well’ and enabling upstream attack. Once compromised, the attacker need only wait for the code to be used by cloud applications. This is widespread, with a lack of awareness of components in use widespread, and some of the largest breaches reported have originated in known vulnerabilities.
Prevent it with continuous vulnerability scanning of local and third-party locations using commercial tools, tracking dependencies, and limiting repository access to an approved list.
Insufficient Logging and Monitoring: Malicious actors thrive in the absence of monitoring and incident response. The lack of logging and monitoring can allow attackers to roam free, permitting them time to achieve their goals as well as preparing for future attacks.
Prevent it by using monitoring tools provided by your cloud vendor to detect unusual behaviors, and deploy a logging and monitoring solution to cover the areas beyond the core cloud technologies.
Securing Serverless Environments
Securing serverless environments calls for a continuous vulnerability scanning and configuration management solution that protects the application lifecycle from source code to end-of-life. Wiz provides automated vulnerability scanning of PaaS, virtual machines, containers, and serverless functions, scaling to your cloud environment without performance impact.