Serverless applications increase the attack surface by introducing privilege escalation and application dependencies.
We're entering the next stage of virtualization. We've gone from physical servers, to virtual machines, to containers – and, now, to serverless apps, also known as functions as a service. At each stage, the number of instances goes up, and the lifespans get shorter. And each stage required new approaches to monitoring and security.
With serverless apps, the lifespans are no longer measured in minutes or hours, but in fractions of a second. The tools used to monitor the previous generations of virtualization technology aren't going to cut it.
The rise in serverless apps is a direct result of the adoption of micro-services, said Antony Edwards, CTO at Eggplant, a London-based digital automation intelligence company. The main advantage is flexibility, he said. "Unfortunately, greater flexibility means more opportunity for attackers to get your system to do unintended actions."
Serverless applications make it easier and faster for developers to launch applications, since the developers don't need to worry about the underlying infrastructure. However, they also increase the attack surface by introducing privilege escalation and application dependencies. And since serverless applications are typically small, discrete functions, there's also more data transferred across networks, another potential attack vector.
On the plus side, typically it's a major cloud provider that's taking care of the underlying infrastructure of the serverless apps, such as Amazon. That means that the likelihood of an attacker getting in by using vulnerabilities in unpatched servers is low.
"Patching is one of their core competencies," he said.
"But serverless does nothing to keep attackers away from your data," he added. " If an attacker gains access to your data through a vulnerability – leaked credentials, a compromised insider or by any other means – then serverless doesn’t help."
Serverless apps are particularly susceptible to identity compromises, said John Martinez, VP of customer solutions at Evident.io.
"They're very tied into identity and access permissions on the cloud provider side," he said.
He suggested that companies using serverless applications focus on the least privilege model to help secure them.
According to Bo Lane, head of solution architecture at Kudelski Security, all the major cloud providers have a serverless offering. With Amazon, it's AWS Lambda. Microsoft has Azure Functions. Google and IBM both call it Cloud Functions.
"In a lot of cases the exact implementation is not known – it might be a proprietary container format, but they're taking care of the setup,” he said.
That means that customers just focus on developing and executing code, and not worrying about the infrastructure. Developers still have to be careful about how they write their code, however.
"If you write insecure code and put it in a functions, a lot of the security problems still exist – SQL injections and other attacks like that," he said.
And customers have to put a lot more trust in their cloud providers.
"How do you monitor the input and output in a function?" he said. "How are you monitoring the malicious activities going on, since a lot of the tools that you would deploy in an on-premise environment or a virtual machine, you don't have the luxury of having those tools. Ultimately, you're trusting the provider to keep the underlying system secure."
For those not willing to put their faith in the big cloud vendors, there are on-premises alternatives. For example, IBM built its Cloud Functions service using the Apache OpenWhisk platform. Other options include Fission, IronFunctions, and Gestalt.
As with other new technologies, there's usually a delay before the security tools catch up.