Serverless architectures: 10 serious security problems (free PDF)
Broken authentication, improper exception handling, and insecure third-party dependencies are among several critical issues that can plague serverless architectures. This ebook explains the biggest security challenges to watch out for.
From the ebook:
Serverless architectures, also called function-as-a-service (FaaS), are used in the enterprise to both build and deploy software and services without the need for in-house physical or virtual servers. This kind of architecture has proven popular due to inherent scalability and compatibility with cloud services and includes AWS Lambda, Azure Functions, Google Cloud Functions, and IBM BlueMix Cloud Functions.
However, as noted in a new report by PureSec, it is not immune to the security issues that impact more traditional server-based systems. The report, titled “The Ten Most Critical Security Risks in Serverless Architectures,” suggests that the following 10 problems are causing security challenges today.
Function event data injection
Injection flaws in applications are among the most common risks and can be triggered not only through untrusted input, such as through a web API call, but due to the potential attack surface of serverless architecture, can also come from cloud storage events, NoSQL databases, code changes, message queue events, and IoT telemetry signals, among others.
“This rich set of event sources increases the potential attack surface and introduces complexities when attempting to protect serverless functions against event-data injections, especially since serverless architectures are not nearly as well-understood as web environments where developers know which message parts shouldn’t be trusted (GET/POST parameters, HTTP headers, and so forth),” the report says.