Recently, Gartner released its September 2018 Security Considerations and Best Practices for Securing Serverless PaaS, which focuses on enterprise adoption of serverless platforms and how this impacts enterprise security. Gartner acknowledges Twistlock as an Example Vendor With Solutions Supporting Serverless Security.*
In Security Considerations and Best Practices for Securing Serverless PaaS, Gartner shares:
“Developers are embracing serverless computing to extend and integrate cloud applications and lower costs, and as a lower-friction way to develop and deploy code. Security and risk management leaders should adopt best practices to address visibility and control gaps created by serverless computing.”
Enterprises are embracing serverless as a way to lower costs and promote speedier software delivery. At the same time, there are key security concerns that should be discussed.
What to know about securing serverless
Gartner’s research highlights key concerns for enterprises looking to better understand and adopt serverless as part of their application modernization strategy. Here are a few topics that stand out to us:
1. Developers impact the serverless security paradigm: Because developers are the primary drivers of serverless adoption, enterprises need to find ways to work with and alongside development and devops teams. This includes not just finding the right, non-invasive security tools, but building and enhancing processes, documented best practices, and workflows and requirements for running serverless applications.
2. Misconfigurations, outdated libraries, and known vulnerabilities are a starting point to secure serverless applications: Gartner offers concrete data surrounding this point. In Security Considerations and Best Practices for Securing Serverless PaaS, Gartner shares:
“By 2021, 90% of enterprises using IaaS will also use some serverless PaaS in production, up from 10% at YE17. Through 2022, 80% of successful attacks on serverless PaaS will have a root cause of misconfiguration or the use of known vulnerable code due to immature tools and processes.”
In May of this year, The Register offered insights about potential compromise of serverless applications stating, “Beyond business logic manipulation, every function may have security vulnerabilities, and many likely do. Depending on the functions’ permissions, attackers can exploit such vulnerabilities to steal customer data, steal CPU cycles for Bitcoin mining, or penetrate deeper parts of your network…you need to be diligent in patching your functions at scale and repeatedly updating them before attackers exploit them.”
Scanning functions, both as part of the build and continuously monitoring them in your environments, becomes a core requirement to gain visibility into potential risk. Additionally, putting best practices in place to avoid misconfigurations is essential. For example, properly encrypting environment variables and implementing permissions correctly are a few of the essential requirements that we have discussed here at Twistlock.
3. Understand the differing approaches to protecting serverless apps at runtime: Different vendors are embracing different methods when protecting serverless functions.
Having developers add security code to their libraries: This approach puts the work in the hands of developers — forcing or expecting them to change their process or existing workflows. Additionally, by tightly intertwining the security capability into the app, it can make debugging more difficult and introduce compatibility problems when attempting to adopt new component versions.
Code injection approaches during development or instantiated at runtime: Several vendors are focusing on injecting code to provide runtime protection for serverless functions. These approaches require proper architecting to ensure that applications aren’t hindered by performance issues or scalability problems. I’ll be talking about Twistlock’s approach and benefits below.
The Twistlock approach to securing serverless
Twistlock provides a full lifecycle approach to securing serverless applications by providing vulnerability scanning as developers build their functions, continuously monitoring serverless functions for new vulnerabilities and compliance risks, and providing runtime protection via our non-invasive approach.
In the example above, Twistlock identifies information about a vulnerability in a Java jar as well as the Vendor Status which will let the developer know if there is a patch available or if the vendor still needs to provide a fix. This capability mirrors our general approach for scanning VMs, images, and containers. Twistlock provides vulnerability scanning of functions both in the development phase through our CI integrations, as well as after they’re pushed to the cloud provider’s repositories.
Once vulnerabilities have been identified and corrected, protecting a function with Twistlock is a simple, easily automated process. No one – neither developers nor security teams – ever need to edit or change the function by hand. Instead, simply run a single twistcli command, twistcli serverless embed, to embed runtime defense into the function. Customers often make this simple process part of the CI flow so it happens automatically when builds pass.
Runtime protection leverages Twistlock Serverless Defender — a small init binary that starts when your function starts, immediately invokes your actual function code, and continuously ensures that only that normal function code is allowed to execute. Twistlock doesn’t force developers to change anything about their current build process and allows security teams to manage policies from within their central Twistlock Console. This way, developers aren’t responsible for setting policies and can’t override them, so your security team can ensure that control requirements are met across the environment.
Serverless Defender always logs directly back to Console, in addition to platform logging services like AWS CloudWatch, where data can be viewed in the existing Console UI and alerts can be sent to all our alerting providers like email, JIRA, Slack, and syslog.
Conclusion and related posts
We hope this post serves as one key step in better understand a few of the requirements for securing serverless applications and how Twistlock offers a scalable and secure approach. To learn more about securing serverless applications, check out our related content:
- Introduction to Serverless Security
- How Serverless Changes the Security Paradigm
- Serverless Comparison: Lambda vs. Azure vs. GCP vs. OpenWhisk
*Gartner, Inc., Security Considerations and Best Practices for Securing Serverless PaaS, Neil MacDonald, 4 September 2018.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
Five Best Practices for API SecurityRead the Blog
When On-Premise Serverless Beats the CloudRead the Blog
Kubernetes AuditSink: Real-time K8s Audits and ForensicsRead the Blog
Native Helm Charts for Frictionless Kubernetes DeploymentsRead the Blog
How Knative Can Unite Kubernetes and ServerlessRead the Blog