One in five serverless apps has a critical security vulnerability

Serverless computing is an emerging trend that is likely to explode in popularity this year. It takes the idea of a smaller server footprint to the next level. First, there were virtual machines, which ran a whole instance of an operating system. Then they were shrunk to containers, which only loaded the bare minimum of the OS required to run the app. This led to a smaller footprint.

Now we have “serverless” apps, which is a bit of a misnomer. They still run on a server; they just don’t have a dedicated server, virtual machine, or container running 24/7. They run in a server instance until they complete their task, then shut down. It’s the ultimate in small server footprint and reducing server load.

Audit of serverless apps finds critical security flaws

And like all emerging technologies, security seems to be an afterthought. An audit from a firm specializing in serverless application security has found one in five serverless apps has one form or another of a critical security flaw, allowing attackers to manipulate applications and perform various malicious actions.

According to the audit of more than 1,000 apps by Israeli security firm PureSec, most vulnerabilities and weaknesses were caused by copying and pasting insecure sample code into real-world projects, poor development practices, and lack of serverless education. This is the kind of bad behavior you really don’t expect to see from professional developers.

Additionally, the company found 6 percent of the projects had application secrets, such as API keys or credentials, posted in their publicly accessible code repositories.

PureSec looked at apps written in a variety of popular languages — Java, Python, Go, and NodeJS — and found all of them were within a few percentage points, around 20 percent each. The exception was Microsoft’s .Net, where the group found 42.9 percent of serverless apps had some kind of vulnerability.

Perhaps not surprisingly, this news comes as PureSec announced a product to secure serverless applications. It has launched a beta version of its PureSec SSRE platform for AWS Lambda, which can defend against application layer attacks such as NoSQL/SQL injections, remote code execution, attempts to subvert function logic, and unauthorized malicious actions.

PureSec claims that with SSRE, all the vulnerabilities discovered in the audit would have been blocked and mitigated during runtime, or they would have been detected and fixed through the PureSec CI/CD integrated code and configuration scanning.

“The results of Puresec’s audit are jarring but not surprising as organizations adjust to the unique challenges of serverless application security,” said Ory Segal, PureSec CTO and co-founder, in a statement. “The traditional models of application security and cloud workload protection solutions aren’t effective for serverless architectures.”

In fairness, PureSec does document the 10 most common vulnerabilities to great detail in a white paper, with sample code and the like.