How Puresec aims to safeguard serverless applications from cyberattacks

The PureSec Tesseract is a serverless security runtime engine that protects apps in AWS Lambda, Microsoft Azure, and other environments.

What is serverless architecture and why does it matter to your business?

Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • PureSec Tesseract is a "serverless security runtime engine," or SSRE, which is designed to protect against application-level attacks.
  • Tesseract supports AWS Lambda, as well as Google Cloud, Microsoft Azure, and IBM Cloud Functions.

For those charged with ensuring information security in their organization, the natural starting point is to secure the servers and the network that a given application is running on. In the age of serverless computing platforms, such as AWS Lambda, that idea is a bit too antiquated. While the basic concept of serverless computing is that the underlying infrastructure is managed, and only active computing time is billed, the resultant lack of control over the platform complicates conventional approaches to security. While the basic footwork of server management is done, going above that baseline requires a new approach to security.

PureSec believes they have developed the answer to this problem in Tesseract, which they tout on their website as the first "serverless security runtime engine," or SSRE, which is designed to protect against application-level attacks. PureSec's SSRE, which is currently in beta, is designed to prevent the execution of attacks embedded in event triggers, such as Internet of Things (IoT) telemetry events, HTTP APIs, and NoSQL events, among others, the website noted.

Naturally, it would be counterintuitive to require an appliance or filtering traffic through a SaaS security suite in a serverless computer setting, given the millisecond-measured margins of performance that serverless computing is used for. For that reason, Tesseract is embedded in the application being run, with a one-line import. According to the website, it works with the typical languages serverless applications are written in, including Java, Javascript, Node.js, Python, Go, and others.

SEE: Prepare for serverless computing (ZDNet special report) | Download the report as a PDF (TechRepublic)

Tesseract uses a variety of strategies to harden application security. During development, the software can identify scenarios when excessive permissions are granted that are not utilized by the normal functioning of the program, prompting developers to tighten access restrictions to the minimum necessary for the program.

The program is able to auto generate the correct permissions profile for the use case, making securing resources as easy as possible. As incorrectly configured S3 buckets have become prime targets for ransomware attacks, this functionality is increasingly important in cloud deployments. Additionally, it can identify improperly stored database credentials or API keys, as well as insecure dependencies in the app.

It also has a "behavioral protection" system that safeguards against attempts to leak data, blocks unauthorized outbound traffic, and detects code injections attempting to piggyback on a normal execution, or embed external malware into the application, the website noted.

Tesseract supports AWS Lambda, as well as Google Cloud, Microsoft Azure, and IBM Cloud Functions, though some integrations with the native logging systems and other ecosystem tools for those platforms may be partially incomplete during the beta.

According to PureSec CTO Ory Segal, the platform is expected to reach general availability this July. Pricing details are still being finalized, though Segal noted that it is likely to be based on execution time, just as serverless computing is billed, which "makes sense, since customers are used to this already, and it helps them to forecast how much they are going to pay."

Also see


Image: iStockphoto/wutwhanfoto