This blog was written by an independent guest blogger.
A new trend for developers is emerging, as many companies shift towards using serverless computing. The name is a bit misleading, as serverless computing still relies on servers for storing data, but those who use serverless computing leave the maintenance of the server to their provider. They pay only for the storage needed to execute the code they develop.
In this way, developers can work in a “serverless” environment that allows them to focus solely on code rather than the provisioning of the servers they use. Although this model is very cost effective and is becoming more popular, giving up control of your servers can come with security risks.
This article will look at the pros and cons of serverless computing, and discuss some of the common security risks that come along with it. We’ll also go over some common problems with serverless computing and information developers need to know to make sure they aren’t victims of a security breach.
The benefits of serverless computing
In our digital era, people expect ease and convenience from their technology. Many internet users will abandon websites after just a few seconds if the load time isn’t optimal. The speed with which DevOps teams are expected to roll out new applications is faster than ever. In the competitive landscape of the modern world, achieving work with speed and convenience is a high priority.
Serverless computing is great because it allows developers to focus solely on code instead of server maintenance. Developers don’t have to be concerned with when to patch their operating system or whether they have to change their code so that it is still functional, for example. The sole concentration is on their business applications, freeing up time to focus on what they do best.
Serverless computing is also beneficial because it is highly scalable, as companies only pay for what they need. Serverless computing is also becoming more popular due to the increase in reliance on cloud applications. This has been influenced by the current redirection of business application environments to microservices and containers. Coca Cola, Netflix and Nordstrom are examples of large companies that have adopted serverless computing.
With serverless computing, operational concerns are removed from the focus of the company using them. Issues with fault tolerance, scalability, availability, over/under provisioning of VM resources and other infrastructure concerns are completely the responsibility of the serverless provider. Furthermore, growing companies don’t have to keep idle servers to ensure they have room for growth.
Convenience can come at a cost, however. Even though serverless computing is more affordable than having dedicated in-house servers, relying on serverless cloud computing can potentially expose your business to cyber security risks.
The risks of serverless computing
Using a serverless computing model doesn’t absolve developers from responsibility in regards to cyber security. The developer is still in charge of code, data application logic, and application-layer configurations while sharing responsibilities with the serverless provider. Here are some of the most common security risks that arise in a serverless environment.
1 - The danger of DoS
A Denial of Service (DoS) attack is especially risky in a serverless environment. If your business relies completely on your cloud provider to store your information, you are beholden to them to rectify the situation if they fall victim to this type of attack.
2 - Financial resource exhaustion
Another way cyber criminals might target your serverless operation is through financial resource exhaustion. By pushing an application to over execute for a period of time, malicious hackers can run up your bill, resulting in a financial loss for your organization.
3 - Verbose error messages
Line-by-line debugging is significantly more challenging in serverless applications. This means that developers must enable debugging environment variables that adapt to the use of verbose error messages. Verbose error messages like syntax errors or stack traces can expose vulnerabilities, flaws in the code or even sensitive data.
4 - Insecure serverless deployment configurations
Organizations are happy when they are able to customize settings for their specific business applications in the serverless environment. However, this opens the door to potential misconfiguration of critical settings, which can lead to data being permanently lost.
Functions should be stateless when using serverless computing. Sensitive information stored on the cloud should be protected from unauthorized eyes, properly making use of cloud hardening methods and correct ACL configurations.
5 - Reliance on third parties
If your business does decide to go serverless, it’s important to look into the third party dependencies of your serverless provider. Frequently, these providers will rely on open source libraries or even consume remote web services through API calls.
Understand which third parties your serverless provider relies on, and whether importing their code may result in security vulnerabilities. This is one of the many reasons why some businesses prefer having a dedicated web server for hosting their websites rather than going serverless.
As London-based software developer and IT expert Alex Williams of Hosting Data says, dedicated servers “check for intruders, hacks, whether your site is up and running or not, and just general other safety things that make you feel nice and secure. They are like that one overprotective friend that's got your back one hundred percent”.
6 - Broken authentication
There are often hundreds of independent serverless functions contained in the architecture of serverless applications, which is similar to a microservice system design. Some of these functions can reveal public web APIs, or act as a proxy to separate functions.
Strong authentication schemes are necessary to protect your business in this environment, with proper access control and protection to every function, event type and trigger.
7 - Injection flaws
When unverified input is executed through an interpreter, injection flaws can occur. Serverless computing presents a variety of event sources, which can lead to the execution of a serverless function.
This variety of event sources increases potential attack surfaces, while also making it more complicated to protect functions from event-data injections. This is made even worse when you consider that serverless architectures are not yet well understood by most developers, who may not be able to quickly identify untrusted input.
Serverless computing has the potential to transform businesses, and it’s clear that it is becoming a trend for a good reason. The convenience and cost effectiveness of serverless applications, which can be arranged through providers such as AWS Lambda, Google Cloud Functions and others, make it very appealing to growing organizations.
These benefits can come at a cost, however, as cyber security becomes vastly more complicated and difficult to control in today’s environment. Thoroughly vetting your serverless computing provider and understanding the risks involved is essential before organizations make the decision to move over to the serverless world.