Serverless architectures, also known as function as-a-service (FaaS), are used in the enterprise to both build and deploy software and services without the need for in-house physical or virtual servers.
This kind of architecture has proven popular due to inherent scalability and compatibility with cloud services and includes AWS Lambda, Azure Functions, Google Cloud Functions, and IBM BlueMix Cloud Functions.
However, as noted in a new report by PureSec, it is not immune to the security issue, which impact more traditional server-based systems.
On Wednesday, the serverless architectures security firm released a new report detailing the most common security issues and challenges facing these systems today.
The report, titled "The Ten Most Critical Security Risks in Serverless Architectures," suggests that the following ten problems are causing security challenges today:
1. Function event data injection: Injection flaws in applications are one of the most common risks and can be triggered not only through untrusted input such as through a web API call but due to the potential attack surface of serverless architecture, can also come from cloud storage events, NoSQL databases, code changes, message queue events and IoT telemetry signals, among others.
"This rich set of event sources increases the potential attack surface and introduces complexities when attempting to protect serverless functions against event-data injections, especially since serverless architectures are not nearly as well-understood as web environments where developers know which message parts shouldn't be trusted (GET/POST parameters, HTTP headers, and so forth)," the report says.
2. Broken authentication: Applications built for serverless architectures often contain dozens -- or even hundreds -- of serverless functions, each with a specific purpose.
These functions connect together to form overall system logic, but some of these functions may expose public web APIs, others may consume events from different source types, and others may have coding issues ripe for exploit and attacks, which lead to unauthorized authentication.
3. Insecure serverless deployment configuration: The security firm found that incorrect settings and the misconfiguration of cloud services are a common theme. This, in turn, can provide an entry point for attacks against serverless architectures, the leak of sensitive, confidential information, and potentially Man-in-The-Middle (MiTM) attacks.
4. Over-privileged function permissions and roles: Serverless applications -- and enterprise systems as a whole -- should follow the principle of "least privilege."
If users have more access than they require for their daily activities, should an attacker compromise their account, they are being given license to damage, which could have been avoided -- and the same should go for applications.
However, PureSec has found that this ethos is not being followed. Serverless functions should only have the privileges they require, but as setting these permissions for potentially dozens of functions, this area is often ignored -- and becomes a weak security spot.
5. Inadequate function monitoring and logging: The reconnaissance phase of an attack, where threat actors attempt to gain intel on a network's defenses and weaknesses, is also a crucial point for cybersecurity solutions to detect suspicious behavior and shut it down.
As serverless architectures reside in cloud environments, "on-premise" real-time cybersecurity solutions are redundant -- and this means the early signs of an attack can be missed.
While serverless systems do often offer logging capabilities, they may not be suitable for the purpose of security monitoring or audits.
6. Insecure third-party dependencies: When serverless functions rely on third-party software, such as open-source packages and libraries, if vulnerabilities are present, these can pave the way for exploit.
7. Insecure application secrets storage: Many apps require "secret" information to be encrypted and stored, such as API keys, passwords, configuration settings, and database credentials.
However, a recurring mistake detected by PureSec is the common practice of storing this information in plain text configuration files -- where any intruder can pillage at will.
8. DDoS attacks, resources stretched to the limit: According to the study, distributed denial-of-service (DDoS) attacks pose a serious risk to serverless architecture as there may be memory allocation, duration per function, and execution limits.
Default limits and poor configuration can lead to successful DDoS attacks and latency struggles.
9. Serverless function execution flow manipulation: Attackers may be able to subvert application logic by tampering with application flows, leading to access control bypass, privilege escalation or denial-of-service attacks.
10. Improper exception handling and verbose error messages: Line-by-line debugging services for serverless architecture are often rather limited. As a result, some developers adopt verbose error messages, enable debugging after the fact, and they may forget to clean the code when it is moved to production.
When exposed to end users, these messages may reveal information about serverless functions and the logic used -- as well as weaknesses in the system and confidential data.
"Serverless architectures have skyrocketed in the last couple of years with an annual growth rate of over 700 percent," said Ory Segal, CTO and co-founder of PureSec. "Our research shows that serverless related software downloads experience exponential growth, yet at the same time there's a huge gap in security knowledge around serverless when compared to traditional applications."