paint-brush
'Serverless': Malware Just Found a new Homeby@newsletters
720 reads
720 reads

'Serverless': Malware Just Found a new Home

by newsletters October 10th, 2021
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Going ‘serverless’ is like farming out mundane tasks to professional dev teams. The distributed nature of serverless gives a cyber breach lots of golden opportunities. Serverless is also its archenemy that provides attackers with significantly more points of entry. The main reason for that is that we don’t always make sure the input is of the expected data type. In general, many well-known software risks like wrongly configured credentials or SQL injection make a comeback in serverless.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - 'Serverless': Malware Just Found a new Home
newsletters  HackerNoon profile picture


Going ‘serverless’ is like farming out mundane tasks to professional dev teams.


You get increased flexibility, accelerated innovation, and reduced architecture costs. All these awesome perks are included while building the ultimate user experience.


Sounds good, right? Well, it’s too good to be true.


Managing a complex infrastructure always comes at a cost.


In the case of serverless infrastructure, its distributed nature gives a cyber breach lots of golden opportunities.


It turns out that the major differentiator of serverless is also its archenemy that provides attackers with significantly more points of entry. With that being said, let us dwell on the main five problems that underpin security issues today.


Serverless - Malware Just Found A New Home


In general, many well-known software risks like wrongly configured credentials or SQL injection make a comeback in serverless, but they manifest in a different way.


Risk 1: Function Event-Data Injection


This risk takes place when unreliable or attacker-controlled input is delivered to an interpreter and gets run or evaluated.


The main reason for that is that we don’t always make sure the input is of the expected data type. And as most serverless architectures have a myriad of event sources, it is not that hard to spark off a serverless function.


Risk 2: Broken Authentication


Since serverless fosters a microservices-oriented system design, applications often include a large number of functions, each with a unique target.


Being intertwined, these functions create overall system logic. However, some functions may disclose public web APIs, while others ingest events from various source types. So unauthorized access is a no-brainer in this case.


Risk 3: Insecure Serverless Deployment Configuration


Cloud providers offer many customizations and configuration settings to fine-tune them for each unique need or task. Some of these out-of-the-box configuration settings have alarming consequences on the overall security standpoint.


Thus, a popular weak point for cloud-based storage is incorrectly configured cloud storage authentication. And if configurations are left unchecked, it may wreak havoc on your security.


Risk 4: Overprivileged Function Permissions and Roles


Serverless functions have access rights, such as the right to access a database. And if you have many functions, you’ll have the same amount of permissions. In an ideal world, these all should be different rights that are as restricted as possible.


But who has the time to manage a zillion function authorizations? Most often, developers find a shortcut by applying a "wildcard" permission model. In this case, serverless functions may end up in the wrong hands and used for unplanned operations.


Risk 5: Inadequate Function Monitoring and Logging


It’s essential to log and monitor security-relevant events instantly since it helps to uncover intruder attacks and impede data corruption. However, this architecture hosts these functions in a cloud environment, beyond the user's data center borderline.


And although many serverless providers supply highly efficient logging capabilities, these logs are in their basic configuration and often fall short of delivering a full security event audit trail.


Subscribe to HackerNoon’s newsletters via our subscribe form in the footer.