21 percent of open source serverless applications have critical vulnerabilities

According to an audit by serverless security company PureSec, more than one in five serverless applications have critical security vulnerabilities. An evaluation of 1,000 open-source serverless projects found that 21 percent of them contain one or more critical vulnerabilities or misconfigurations, which could allow attackers to manipulate the application and perform malicious actions.

http://brn.firetrench.com

I have the following thoughts from Tim Mackey, technical evangelist for Black Duck by Synopsys:

“What was disclosed

  1. PureSec have defined an equivalent of the “OWASP Top 10” and are targeting it at the Functions as a Service (FaaS) market – also known as “serverless”
  2. To vet their definition, they’ve collected a sampling of roughly 1000 functions deployable within AWS Lambda. These functions were written in a variety of languages and their findings showed, in the aggregate, 21% contained at least one of the security risks identified by their “FaaS top 10” taxonomy
  3. PureSec have created an offering around their “FaaS top 10” and made it available in beta form with the report as supporting material

Why security in the FaaS ecosystem matters

The core concept of FaaS, or serverless functions, is to define an API for consumption. These APIs can provide basic services intended for integration into a larger application. By decoupling the API from the core business logic, security paradigms which would normally apply to a discrete application at a higher level now need to be implemented in the API function. For example, a discrete user facing application will often implement its input sanitisation routines at the point of user input. The sanitised data is then freely manipulated within the application to return a result to the end user. If those internal data manipulation routines are broken out to become discrete API services, the input sanitisation rules could easily be omitted when the API was refactored. The net result being unexpected data could be presented to the function – with correspondingly unexpected results. If that API function proves valuable to others, those new consumers may not be aware of the lack of input sanitisation and the associated security risks.

While PureSec highlight in their announcement the results of their analysis of Open Source projects, this risk potentially exists in any API – regardless of whether it’s considered “serverless”. Application owners should pay attention to any API they consume and assume that without independent validation any number of security issues may be present. In addition to the security nature of API execution, recent media coverage of data breaches also demonstrates that anyone consuming an API should be aware of how any data presented will be used and potentially stored.

I personally support PureSec’s attempts to increase awareness of the security risks associated with API usage and the role they are playing security education for serverless/FaaS developers.”