New Report Lists 12 Most Critical Risks for Serverless Applications

PR Photo: PureSec

As part of its partnership with the Cloud Security Alliance (CSA), PureSec recently announced the release of a new serverless security guide titled “The 12 Most Critical Risks for Serverless Applications.”

The purpose of this document, according to a PureSec, is to provide security guidelines for the design and implementation of serverless (Function-as-a-Service) applications. The guide includes design considerations focusing on identifying and mitigating risks, and mitigation recommendations with an emphasis on all major public cloud serverless platforms such as AWS Lambda, Azure Functions, and Google Cloud Functions. 

The guide is a result of a successful joint project between PureSec and CSA, with additional input and feedback from several dozens of serverless industry thought leaders, and is the most comprehensive effort to classify the potential risks for applications built on serverless architectures to date, PureSec said in a blog post.

“As industry thought leaders in the serverless security space, many organizations turn to PureSec for advice and recommendations on how to design and build secure serverless applications. CSA felt that PureSec can provide the industry with outstanding insights and invited the company to join our alliance" said J.R. Santos, EVP of Research, Cloud Security Alliance.

The report was written for both security and development audiences dealing with serverless applications, and goes well beyond pointing the risks. It provides mitigations, best-practices and a comparison between traditional applications to their serverless counterparts, the Company added.

The Top 12 Risks listed in the document are:

SAS-01: Function event-data injection

SAS-02: Broken authentication

SAS-03: Insecure serverless deployment configuration

SAS-04: Over-privileged function permissions and roles

SAS-05: Inadequate function monitoring and logging

SAS-06: Insecure third-party dependencies

SAS-07: Insecure application secrets storage

SAS-08: Denial of service and financial resource exhaustion

SAS-09: Serverless business logic manipulation

SAS-10: Improper exception handling and verbose error messages

SAS-11: Legacy / Unused functions & cloud resources

SAS-12: Cross-execution data persistency