‘Function-as-a-service’ or serverless computing is a boon to several enterprises, simplifying the process of code development and deployment while enhancing server resource utilization and curtailing security overhead. Cloud providers are on their guard, heading toe-to-toe with security concerns, and as they identify and patch OS vulnerabilities, new attack surfaces are buoyed by new components. The term serverless computing is a controversy in itself and there is no clear definition to it, although being the latest trend in the industry.

While serverless designs are going mainstream in light of their undeniable business advantages, the misplaced assumption that serverless computing is secure has brought significant challenges. One of the important challenges to be addressed is to combat the myth – ‘providers take care of the security’ – after which the real work gets started.

Security in Serverless Computing

Provided with the infancy of serverless, security and development teams are struggling to understand and deal with the unique risks it entails. Several current-generation security systems depend on underlying servers, guest operating systems, virtual containers, virtual network interfaces, databases, and virtual machines. These underlying components are neither readily accessible nor persistent when application developers choose to implement a serverless infrastructure.

Several enterprise security teams are striving to come up with novel solutions that secure APIs and modern applications built on serverless frameworks like Google Cloud Functions, Azure Functions, and Amazon Lambda. DevOps teams are the early adopters of technology and innovators. Seeking permission to build apps with serverless is not required for DevOps teams and they are primary responders of security problems identified in serverless APIs and applications.

Serverless applications remain a blind spot for enterprise IT and security professionals. Security and IT teams have commenced weighing-in to gain increased visibility and actionable insights on new, potential risks, as organizations achieve experience and reap the financial advantages of serverless computing.

Potential Risks for Serverless Applications

Currently, most organizations are emphasizing the deployment of serverless architecture as they take their baby steps into this latest computing trend. The Cloud Security Alliance has drafted its new report – ‘The 12 Most Critical Risks for Serverless Applications 2019’ – to help IT organizations in successfully building reliable, secure, and robust applications. The drafted document offers intelligence on the most prominent risks for serverless architectures, namely,

  • Function event data injection
  • Broken authentication
  • Insecure serverless deployment configuration
  • Over-privileged function permissions and roles
  • Inadequate function logging and monitoring
  • Insecure third-party dependencies
  • Insecure application secret storage
  • Financial resource exhaustion and denial of services
  • Serverless business logic manipulation
  • Verbose error messages and improper exception handling
  • Event triggers, cloud resources, and obsolete functions
  • Cross-execution data persistency

The objective of security is to enable safe data handling, i.e., mapping out the organizational data in the serverless world. One may trust but has to verify the doings of their provider while monitoring their applications. Despite most of the issues that have been noted, it is not recommended to set policies to ebb serverless adoption. Organizations must focus on encouraging their security teams to allow businesses to benefit from new innovations with insightful data around risks.

Security teams must provide an automated analysis, which enables DevOps teams and software engineers to quickly discover & inspect all serverless and API services published and consumed by their organizations. These new APIs are considered to be the radical bond that interconnects serverless applications to all the other components.


CIEM – Automating the Management of Infrastructure Entitlements

April 15, 2021

Protecting Privileged Credentials with Multi-Factor Authentication

March 15, 2021

Cloud Security Posture Management – What It Means for Organizations

February 12, 2021

Security and Compliance of Amazon Elasticsearch

February 2, 2021

Best Practices for Azure SQL Database Security

January 6, 2021

10 Key Azure Misconfigurations To Keep An Eye On

December 28, 2020