Serverless Security 101

Understanding Risks and How to Secure Serverless Applications

Serverless adoption is growing

According to the New Stack, over 75 percent of organizations are already using or planning to use serverless in the next 18 months.* From AWS Lambda to Google Cloud Functions to Microsoft Azure Functions and KNative, enterprises have more cloud provider options than ever before when integrating serverless into their application portfolio.

What is serverless?

Serverless computing provides a way to deploy snippets of code aka functions triggered by predefined events. When serverless technology is deployed correctly, it can save money, time, and resources—all while allowing developers to focus on writing code rather than solving infrastructure issues. Developers don’t need to think about the underlying infrastructure, just their code and the corresponding business logic. Serverless lower financial costs by scaling to zero. When applications aren’t running, they don’t consume computing resources.

Serverless allows enterprises to run snippets of code in the cloud.

Security concerns for serverless applications

Serverless computing removes a number of traditional application security concerns because those responsibilities are transferred to your cloud provider. At the same time, users are still responsible for running their code to these cloud platforms.

Visibility into and identification of vulnerabilities: Traditional vulnerability scanning and security tools often aren’t designed to support serverless microservices, making it difficult to assess vulnerabilities and risk posture of serverless functions. Infrastructure teams and security architects need tools that are purpose-built for this new cloud native computing paradigm.

Denial-of-Service attacks: If an attacker can find a way to execute a vast number of serverless events, they could not only disrupt legitimate services but also leverage your cloud computing resources.

Dependencies on external resources: Many serverless workloads are designed in such a way that they rely heavily on external resources, such as databases or third-party libraries. These dependencies create additional potential security risks, especially if teams don’t understand them well.

Access control risks: Striking the right balance for access control can a challenge for serverless functions. Developers need functions to access the external resources they rely on, developers need to avoid giving them access that they shouldn’t have. Granting the right level of access requires careful review of functions’ needs and should be as minimal as possible. For example, if your function doesn’t need to talk to your database, make sure it’s on a separate virtual network.

Continual function inventory and compliance: As developers continue to deploy functions, security teams may be challenged in identifying all the functions running and how they impact their organization’s compliance goals and overall security posture. Tools that can quickly and continually identify serverless repos and running functions provide value to today’s enterprises.


Geek Guide: Securing Serverless Applications

Get it now

Secure Your Serverless Functions with Twistlock

Twistlock provides serverless security capabilities for applications using AWS Lambda, Azure Functions, and Google Cloud Functions. Ensure that your functions are free from risk and safe from threats at every stage of the app lifecycle.

  • Scan your serverless repos to Identify vulnerabilities in your application frameworks along with risk factors and remediation guidance.

  • Integrate vulnerability scanning into CI/CD pipelines to assess the security of your functions as part of build and deploy jobs. Simple scripting interfaces and user-defined pass / fail vulnerability thresholds make it easy to ensure security is a required part of publishing any function.

  • Protect serverless functions from attacks at runtime — all under the same console used for the rest of the cloud native stack. Easily deployed with no manual code changes required, Twistlock ensures all functions, no matter how ephemeral, are defended against threats.