Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity

    Protego Labs Boosts Serverless Security With Open-Source Project

    By
    Sean Michael Kerner
    -
    January 7, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Protego Labs DVSA

      While serverless technology is becoming increasingly widely used, there has been a lack of understanding when it comes to serverless security implications. That’s a challenge that Protego Labs is looking to help solve with the release of a freely available open-source tool that helps organizations learn about serverless security.

      Serverless, also referred to as functions-as-a-service, is technology that enables organizations to run functions in an event-driven approach, rather than requiring a long running persistent server. Among the most popular serverless platforms is Amazon Web Services (AWS) Lambda, which provides some default security capabilities in the cloud at the infrastructure layer. Although AWS provides some security capabilities, there are still application layer risks that organizations need to be aware of when it comes to serverless. The Protego Labs Damn Vulnerable Serverless Application (DVSA) is a purposefully insecure serverless application and toolset that provides organizations with insight into how to properly secure serverless deployments.

      “Our customers were looking for a way to help better understand the real risks from serverless,” Tal Melamed, head of security research at Protego Labs, told eWEEK. “So we decided to come up with DVSA, which is an attempt to be a realistic serverless deployment, and it interacts with various cloud resources, including databases, that are typical for a serverless application.”

      Founded in 2017, Protego Labs itself is in the business of providing serverless security. DVSA is open-source technology that Protego Labs is contributing to the Open Web Application Security Project (OWASP) with project code hosted on GitHub, and there is also an online hosted version set to debut this week at serverless.fail.  DVSA makes use of the OWASP Serverless Top 10 list project, which provides a listing of the most common serverless flaws and misconfigurations that organizations need to consider.

      “Serverless services run code without provisioning or managing servers and the code is executed only when needed,” the OSAWP Serverless Top 10 project page states. “However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks. “

      Serverless Vulnerabilities

      Melamed explained that DVSA has a directed path to help users learn how and where to find the vulnerabilities that are part of the project. Among the primary serverless risks is that of injection attacks.

      “Injection attacks are well-known in the web application space, but when it comes to serverless, injection attacks are not coming from the same places that developers might expect,” Melamed said.

      In an injection attack, some form of unauthorized or unexpected content or data is injected into an application flow. Among the most common injection attack vectors is SQL injection, when hackers input different code strings to exploit databases. In a regular web application, an injection attack comes from a user input as an entry point. Malemed said that with serverless, an injection attack can come from an event that the serverless function calls to execute. Malemed said that examples of potential serverless injection attacks include sending unauthorized emails with information or potentially uploading a file.

      Function permissions is another area of potential vulnerability with serverless. Melamed said that prior to serverless, permissions were typically managed at the infrastructure level, with a determination made what access permissions a given application might need. With serverless at AWS Lambda, each function can be granted its own permissions for what it can do within an account. As such, Malemed said that it is incumbent upon developers to make sure they assign the right permissions.

      “What we see in practice is that companies create permission templates for developers and tell them that every function that is developed should be covered by the template,” Melamed said. “The templates typically cover hundreds of permissions and actions inside of an account.”

      Melamed added that the majority of serverless functions do not need the full permissions that permission templates provide. By providing more permissions than a serverless function needs, there is a potentially larger attack surface that an attacker could exploit. Looking at permissions from another perspective, Melamed said there is also an opportunity for organizations to implement better granular permissions and reduce the attack surface by limiting individual functions to only have the very specific permissions that are needed.

      “Serverless can be a risk, but it can also be an opportunity to improve security,” he said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×