According to McAfee Labs, serverless apps can save time and reduce costs. However, they can also increase the attack surface by introducing privilege escalation, application dependencies, and the vulnerable transfer of data across networks.
“Serverless” apps, the latest aspect of virtual computing, enable a new degree of granularity in computing functions. Some providers have recently reduced the billing iteration to seconds, which will have a substantial impact on growth. Billing for functions in seconds, instead of using containers or virtual machines that require minutes or hours, can reduce costs by a factor of 10 for some operations.
But what about the security of these function calls? They are vulnerable in traditional ways, such as privilege escalation and application dependencies, but also in new ways, such as traffic in transit and an increased attack surface.
Let’s start with the traditional vulnerabilities. Serverless apps that are quickly implemented or rapidly deployed can use an inappropriate privilege level, leaving the environment open to a privilege escalation attack. Similarly, the speed of deployment can result in a function depending on packages pulled from external repositories that are not under the organization’s control and have not been properly evaluated.
Then there are the new risks. By looking at the URL, we can tell if the request is going to a serverless environment. As a result, it might be possible for an attacker to disrupt or disable the infrastructure from the outside, affecting a large number of organizations.
Another risk is the data included in the function call. Because the data is not on the same server that executes the function, it must transit some network and may be at risk of interception or manipulation.
We predict the increased granularity of serverless apps will lead to a comparable increase in the attack surface. More functions, transiting to one or more providers, means more area for an attacker to exploit or disrupt. Make sure your function development and deployment process includes the necessary security steps, and that traffic is appropriately protected by VPNs or encryption.
Ian Yip, Chief Technology Officer, McAfee Asia Pacific
For more insights on cybersecurity, join McAfee Asia Pacific’s Chief Technology Officer, Ian Yip, at ConnecTechAsia Summit 2018’s EmergingTech Track. Marina Bay Sands, 26 June 2018. Delegates may register for the Summit here.