Serverless Applications Pose Unique Challenges for Security Testing

Written by

Cloud-native development models are quickly entering the mainstream, and serverless computing is at the forefront of this trend. Like other aspects of digital transformation, this trend has been accelerating over the past two years as the way that brands interact with their customers underwent a sea change.

The term “serverless” refers to a cloud-native development model that allows organizations to build and run their applications without the burdens of physical server infrastructure. Serverless applications can deliver automatic scalability, high availability and improved business agility. This dynamic flexibility helps save time and money across the entire software development life cycle (SDLC). Serverless adoption in the enterprise has seen a 209% increase in average weekly invocations over the last 12 months. By next year, 25% of application developers are expected to be using serverless technologies due to their many advantages.

AWS Dominates The Marketplace

Amazon Web Services (AWS) has dominated the serverless computing market since the introduction of AWS Lambda in 2015, the first complete service to enable a true serverless architecture. Eight in 10 respondents to our survey are Lambda users. In the Contrast Security survey, nearly six in 10 (58%) AWS users say three-quarters or more of their applications are serverless.

Serverless application security, however, remains a serious issue. Traditional application security testing (AST) tools cannot provide adequate coverage, speed or accuracy to keep pace with the demands of serverless applications. It should be no surprise that concerns about configured or quickly spun-up cloud-native (serverless or container-based) workloads have increased by nearly 10% over the last year.

The Current Gap Between Serverless and Security

While serverless environments present some advantages when it comes to security, there are also some unique challenges:

  • Attack surface. Every function, application programming interface (API) and protocol in a serverless application presents a broader potential attack vector.
  • Porous perimeters. The boundaries of serverless applications are naturally more fragmented than traditional applications – and therefore harder to secure.
  • Greater complexity. Multiple permissions and access issues can be challenging and time-consuming for organizations to manage.

Because legacy AST tools were not designed for the unique nature of serverless applications, they cannot provide fast or accurate testing results. Legacy AST tools have poor visibility into serverless architectures due to “no-edge blindness” – functions don’t have a public-facing endpoint or URL. Abstraction of the infrastructure, network and virtual machines provides zero context for traditional tools to reference. This reduces the accuracy of testing results – upwards of 85% of alerts turn out to be false positives. While some vendors may tout static scans for serverless applications, scanning code with zero context is not a true or effective serverless AST solution.

Using traditional AST solutions for serverless applications also requires complex evaluation and tuning by security experts – which slows down deployment. Security testing operations may also require manual intervention by security and development teams – triage and analysis of results due to high rates of false-positive alerts. These barriers make it very difficult for traditional application security tools to scale with the rigorous demands of serverless development processes.

Purpose-Built Security for Serverless Applications

To actualize the intended benefits of serverless applications, organizations need purpose-built application testing that is both fast and accurate. Check out Contrast’s new State of Serverless Application Security Report. It highlights how enterprises are taking advantage of serverless computing to improve their business agility and enhance the customer experience. 

Brought to you by

What’s hot on Infosecurity Magazine?