As part of its partnership with the Cloud Security Alliance (CSA), PureSec recently announced the release of a new serverless security guide titled “The 12 Most Critical Risks for Serverless Applications.”
The purpose of this document, according to a PureSec, is to provide security guidelines for the design and implementation of serverless (Function-as-a-Service) applications. The guide includes design considerations focusing on identifying and mitigating risks, and mitigation recommendations with an emphasis on all major public cloud serverless platforms such as AWS Lambda, Azure Functions, and Google Cloud Functions.
The guide is a result of a successful joint project between PureSec and CSA, with additional input and feedback from several dozens of serverless industry thought leaders, and is the most comprehensive effort to classify the potential risks for applications built on serverless architectures to date, PureSec said in a blog post.
“As industry thought leaders in the serverless security space, many organizations turn to PureSec for advice and recommendations on how to design and build secure serverless applications. CSA felt that PureSec can provide the industry with outstanding insights and invited the company to join our alliance" said J.R. Santos, EVP of Research, Cloud Security Alliance.
The report was written for both security and development audiences dealing with serverless applications, and goes well beyond pointing the risks. It provides mitigations, best-practices and a comparison between traditional applications to their serverless counterparts, the Company added.
The Top 12 Risks listed in the document are:
SAS-01: Function event-data injection
SAS-02: Broken authentication
SAS-03: Insecure serverless deployment configuration
SAS-04: Over-privileged function permissions and roles
SAS-05: Inadequate function monitoring and logging
SAS-06: Insecure third-party dependencies
SAS-07: Insecure application secrets storage
SAS-08: Denial of service and financial resource exhaustion
SAS-09: Serverless business logic manipulation
SAS-10: Improper exception handling and verbose error messages
SAS-11: Legacy / Unused functions & cloud resources
SAS-12: Cross-execution data persistency