Twistlock Extends Container Security to Protect Serverless Functions

Container security vendor Twistlock announced on June 19 that it is adding serverless function protection to its platform. The new serverless capabilities are set to become generally available in July as part of the Twistlock 2.5 update.

In a video interview with eWEEK, Twistlock CTO John Morello explains how the new serverless security technology works and why there is a need for additional security in serverless deployments. Serverless, also referred to as functions as a service, enables users to run a function without the need to start a full server, virtual machine or container image. The Twistlock serverless protection supports AWS Lambda, Google Cloud Functions and Azure Functions.

"We're adding the capability to provide runtime defense for serverless functions," Morello said. "What we're really talking about is being able to proactively prevent anomalous processes from running within your functions."

Twistlock released its first container security platform in November 2015, providing runtime security for container application deployments. The Twistlock 2.0 platform, which was announced in April 2017, added compliance capabilities to the platform as well as increased visibility into container application operations. For containers and serverless functions, Twistlock's platform can look for and prevent known vulnerabilities that are present. Additionally, the platform provides runtime security, which can prevent attacks that attempt to compromise a container or function.

Serverless functions already benefit from access control and security group policies that are in place on the platforms on which the functions run. Morello noted that security is always about defense in depth, and Twistlock is now providing additional layers of protection on top of the native capabilities of the serverless platforms. Morello said that even if an organization is using security groups to protect serverless, there is still the risk of having an application with a vulnerability that enables an attacker to get access.

"We're putting in a real hard control that says if the processes that are trying to be invoked in the function are not something that is normal, we'll prevent those from starting," Morello said.

How It Works

The Twistlock serverless runtime security capability is something that can be bundled into a serverless function. Morello explained that a developer can build a serverless function and then embed the Twistlock binary into the function's output file. When a function starts, the initialization process is basically Twistlock, which immediately invokes the developer's code, with the additional layer of policy protection to make sure that unauthorized system calls and processes don't run, he said.

The extension of Twistlock to protect serverless runtimes is not being launched in response to any new specific threat against serverless, according to Morello.

"If you think about a function or a container, at the end of the day it's just a different compute environment for the same software that you're already used to," he said. "Honestly, the attacks that you'd see in serverless or in containers in general are the same as if you ran the application stack on virtual machine or physical server."

An attacker doesn't really care what an application is running on top of, Morello said. Rather, the attacker knows that there is an application component that has a vulnerability that can be exploited.

"It's not a serverless attack pattern as much as it is an attack against applications that might happen to run in a serverless environment," he said.

Watch the full video interview with John Morello above.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.