Serverless Computing: Security and Challenges

By
Febna V M
Published on
31 May 2021
7 min read
InfoSec

Serverless computing is a new economic model to cloud computing that has proven popular and has emerged to be a boon to many companies.

Digging back to the history of software deployment, there were physical servers in which system administrators would be preparing them for software installation. This was a cumbersome and expensive undertaking.

Later on, developers were able to target a simulated server and virtual machines which enhanced the flexibility of migrations and made deployment much easier.

The follow-up to virtual machines was containerized deployment, which provided a lightweight environment using technologies like Docker, OpenVZ, LXC, FreeBSD zones and Solaris jails, etc. Unlike the above-mentioned deployment mechanisms, serverless promises to give us another level of abstraction. A serverless provider allows users to write and deploy code without worrying about the underlying infrastructure.

Types of serverless infrastructures

Serverless architectures are cloud-based and service-based. This means that, instead of provisioning and managing their own servers, organizations buy cloud computing services such as the following:

  • Software as a Service, or SaaS, delivers centrally hosted and managed software on-demand to end-users over the internet (e.g, Slack, Jira, Salesforce, HubSpot, etc).

  • Infrastructure as a Service, or IaaS, delivers resources such as networks, data storage, and computers which must be managed by the end-users and offers essential compute, storage and networking resources on-demand, on a pay-as-you-go basis.

  • Platform as a Service, or PaaS, builds on IaaS by allowing users to deploy and run applications on managed platforms. Deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications.

  • Function as a Service, or FaaS, is a specialized type of PaaS that allows users to develop, manage, and run application functions on managed platforms (e.g, AWS Lambda) without the complexity of building and maintaining the infrastructure.

The term ‘serverless’ is somewhat misleading, as there are still servers providing these backend services, but all of the server space and infrastructure concerns including capacity management, patching, and availability are handled by the vendor. It’s just that enterprises can build back-end applications without being directly involved in maintaining and securing servers.

Serverless computing allows developers to purchase backend services on a flexible ‘pay-as-you-go’ basis, meaning that developers only have to pay for the services they use.

The security of serverless architectures is ensured for the most part by the Cloud service provider (CSP). They handle the security of the infrastructural computing components of serverless technology. This is why serverless technology is regarded as relatively more secure than other cloud computing models.

How does a serverless environment reduce the attack surface?

Using a serverless environment can reduce the attack surface. We would only need to focus on the topmost application layer in the OSI (Open Systems Interconnection) model. Maintaining and patching up the security loopholes is assigned to the cloud provider.

Let’s take a look at some of the major responsibilities of the cloud provider:

  • Patching the infrastructure periodically.

  • Securely configuring the infrastructure with the proper security settings to protect itself.

  • Setting up the proper account management for the infrastructure.

  • Ensure that it only uses currently supported operating systems and software runtimes.

  • Responsible for keeping the software runtime up-to-date and configuring it securely.

  • Securely configuring the database and network connectivity.

However, like any other existing technology, it’s not immune to risks and threats. There have been reports detailing the most common security issues and challenges facing serverless systems today.

Serverless Security Risks & Challenges

1. Insecure configuration

Cloud service providers offer multiple settings and features. Incorrect settings or configurations left unattended may result in big security threats. It can act as an entry point for attacks against serverless architectures.

2. Overprivileged function permissions

The serverless ecosystem has many independent functions, and each function has its services and responsibilities for a particular task.

You should ensure that users do not have the privilege to access more than they require. The permissions/rights to the functions should be properly configured. It can create a situation where functions become overprivileged, thus causing a potential security threat.

3. Event-data Injection

Injection flaws in applications are one of the most common security risks. Other than untrusted inputs in application calls, these can also be triggered from the cloud storage events, NoSQL databases, code changes, etc.

Different types of input that may or may not contain untrusted inputs from different event sources need a careful assessment. This rich set of event sources increases the potential attack surface.

4. Inadequate function monitoring and logging

As serverless systems may not provide adequate security facilities in logging and monitoring applications, the early signs of an attack can be missed.

5. Improper exception handling and verbose error messages

In the case of a serverless architecture, line-by-line debugging services are often limited. To make things easier, some developers may choose verbose error messages and enable the debugging mode.

Developers may also forget to clean the code while moving the applications to production, and the verbose error messages remain as it is. This may result in revealing information about serverless functions and the logic used.

6. Insecure third-party dependencies

Serverless applications deal with third-party integrations of database services, back-end cloud services, and other dependencies. If vulnerabilities are present in them, these can pave the way for exploitation.

Even though the responsibility of securing all the cloud components such as data centre, network, servers, operating systems and its configurations lies with the cloud service provider, it does not mean that the role of the developer is non-existent in enhancing security.

From the application side of things, the application developer is still responsible for application logic, code, data, and application-layer configurations, making it a shared security responsibility.

Best practices to enhance security in serverless applications

1. Protect sensitive information

Encrypt all data and use secure storage for credentials.

Review roles and permissions that are given to users, third parties, and functions within the application. You should also be creating custom roles as per the needs and apply them to the functions.

2. Integrate an incident response plan

In order to detect the early signs of an attack, it is essential to implement an incident response plan. This helps to identify issues earlier and resolve them accordingly. This keeps the application secure.

3. Implement proper security logging

Proper monitoring and security logging has a significant role in keeping your application secure. Cloud providers have their own recommendations to address this issue.

4. Third-party dependencies

It is recommended to remove unnecessary dependencies. Continuously monitoring and updating the versions of the framework, libraries and other dependencies along with creating security patches for the older versions of dependencies should be made a priority.

Conclusion

Software deployments and delivery has continued to evolve, especially since the advent of affordable and reliable cloud hosting.

Serverless architectures provide a great way of creating applications with scalability and there is an exponential growth in enterprises going “serverless”.

However, it also requires extra care. Being a shared responsibility model in terms of security, all parties involved should be aware of what they are in charge of securing.


Written by
Febna V M
Febna V M
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days