The Ugly Truth About Serverless Data Security

Hacker Noon reflects the technology industry with unfettered stories and opinions written by real tech professionals


The easiest way to adopt serverless

The Ugly Truth About Serverless Data Security

 
Going serverless is like farming out mundane tasks to professional dev teams. You get increased flexibility, accelerated innovation, and reduced architecture costs. All these while focusing on core responsibilities and ultimate user experience. Sounds good, right? Too good to be true.
 
Managing a complex infrastructure always comes at a cost. In the case of serverless infrastructure, its distributed nature gives a cyber breach lots of golden opportunities. And it turns out that the major differentiator of serverless is also its archenemy that provides attackers with significantly more points of entry. With that being said, let us dwell on the main five problems that underpin security issues today.
 

alt text

Serverless - Malware Just Found A New Home

 
In general, many well-known software risks like wrongly configured credentials or SQL injection make a comeback in serverless, but they manifest in a different way.
 

Risk 1: Function Event-Data Injection

 
This risk takes place when unreliable or attacker-controlled input is delivered to an interpreter and gets run or evaluated. The main reason for that is that we don’t always make sure the input is of the expected data type. And as most serverless architectures have a myriad of event sources, it is not that hard to spark off a serverless function.
 

alt text

Risk 2: Broken Authentication

 
Since serverless fosters a microservices-oriented system design, applications often include a large number of functions, each with a unique target.
 
Being intertwined, these functions create overall system logic. However, some functions may disclose public web APIs, while others ingest events from various source types. So unauthorized access is a no-brainer in this case.
 

alt text

 

Risk 3: Insecure Serverless Deployment Configuration

 
Cloud providers offer many customizations and configuration settings to fine-tune them for each unique need or task. Some of these out-of-the-box configuration settings have alarming consequences on the overall security standpoint.
 
Thus, a popular weak point for cloud-based storage is incorrectly configured cloud storage authentication. And if configurations are left unchecked, it may wreak havoc on your security.
 

alt text

Risk 4: Overprivileged Function Permissions and Roles

 
Serverless functions have access rights, such as the right to access a database. And if you have many functions, you’ll have the same amount of permissions. In an ideal world, these all should be different rights that are as restricted as possible.
 
But who has the time to manage a zillion function authorizations? Most often, developers find a shortcut by applying a "wildcard" permission model. In this case, serverless functions may end up in the wrong hands and used for unplanned operations.
 

alt text

Risk 5: Inadequate Function Monitoring and Logging

 
It’s essential to log and monitor security-relevant events instantly since it helps to uncover intruder attacks and impede data corruption. However, this architecture hosts these functions in a cloud environment, beyond the user's data center borderline.
 
And although many serverless providers supply highly efficient logging capabilities, these logs are in their basic configuration and often fall short of delivering a full security event audit trail.
 

alt text

 
Along the same lines, we'd like to express our thanks to Webiny for sponsoring this newsletter. Webiny is a CMS for the serverless era. You can run Webiny in your own cloud on top of the serverless infrastructure. Your data stays with you.
 

Your Cut’N’Paste Summary

 
While serverless allows software engineers to give due regard to business logic and omit complex server infrastructures, it has a blot on the landscape. New, unprecedented security challenges like function data injection, insecure deployment configuration, and other beasts can overshadow the bright sides of this architecture.
 
But we are not spreading fear or slamming serverless. Remember that all these risks can be mitigated, whereas knowing nothing about them is your major weakness.
 

alt text

***
Got a tech story to share with our readers? Everything you've ever wanted to know about how to get published on Hacker Noon - get it here.


The easiest way to adopt serverless

 
Hacker Noon reflects the technology industry with unfettered stories and opinions written by real tech professionals
Twitter
Facebook
Instagram
Website
YouTube
Email
Copyright © 2021 Hacker Noon. All rights reserved.

Our mailing address is:
PO Box 2206, Edwards CO, 81632, U.S.A.

unsubscribe

Older messages

VPNs Leaked 1.2TB of Your Data: Who Can You Even Trust?

Thursday, January 28, 2021

20 Million VPN users across seven different VPN services were compromised and had their data (including personally identifiable information) end up on the dark web. What do you make of this? Where do

When (and Why) To Go Serverless

Tuesday, January 26, 2021

Already back in 2017, the serverless market was estimated at more than $3B. And as we are rolling into a new decade, this technology is expected to grow up to $20B by 2025. Hacker Noon reflects the

Low Code Isn’t Dead Yet: Or Is It?

Friday, January 22, 2021

Throughout the years, there have been various attempts to make programming streamlined and digestible for everyone. Few people have the time and patience to hunch over the laptop for months, years, and

Magic Behind Test Automation

Friday, January 15, 2021

I test, therefore it works. Today most companies continue to demand faster releases and innovative software to stand up to the dynamic market scenario and steep competition. Hacker Noon reflects the

How To Target the 22 Most Trafficked Tag Pages on Hacker Noon

Friday, January 15, 2021

Tags are the internet's indexing system. When you submit a story to Hacker Noon, you get not three, not five, but EIGHT tags. Tags work for you, as a writer, in two important ways: Tags help Google

You Might Also Like

From Request to Response: How APIs Work – Beginners Guide

Thursday, March 28, 2024

In the vast expanse of the digital ecosystem, APIs (Application Programming Interfaces) act as critical conduits, facilitating seamless conversations between different software platforms. From clicking

Elastic 8.13 is here: Amazon Bedrock in the AI Assistant for Observability

Thursday, March 28, 2024

Learn about Amazon Bedrock support within the Elastic AI Assistant for Observability ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ elastic | Search. Observe. Protect

A Creative Market Reset 🎨

Thursday, March 28, 2024

Adobe needed some real competition. Now it has some. Here's a version for your browser. Hunting for the end of the long tail • March 27, 2024 A Creative Market Reset Canva's purchase of

Fisker lost millions … then it got them back

Wednesday, March 27, 2024

More Fisker woes View this email online in your browser By Christine Hall Wednesday, March 27, 2024 Welcome back to TechCrunch PM! This afternoon, learn about some new Google features, a startup that

▶️ How to Get Better YouTube Video Recommendations — What to Know About Alexa Skills

Wednesday, March 27, 2024

Also: The Best Samsung Phones of 2024, and More! How-To Geek Logo March 27, 2024 📩 Get expert reviews, the hottest deals, how-to's, breaking news, and more delivered directly to your inbox by

JSK Daily for Mar 27, 2024

Wednesday, March 27, 2024

JSK Daily for Mar 27, 2024 View this email in your browser A community curated daily e-mail of JavaScript news Bad Abstractions Could Be Ruining Your Code The code is easy to read and it runs fine -

Ranked | The World's Biggest Oil Producers in 2023 🛢️

Wednesday, March 27, 2024

The word's three biggest oil producers accounted for 40% of production in 2023. View this graphic to learn more. View Online | Subscribe Presented by FEATURED STORY The World's Biggest Oil

Daily Coding Problem: Problem #1394 [Easy]

Wednesday, March 27, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Google. Given the head of a singly linked list, reverse it in-place. Upgrade to premium

Free Event: Watch 10 entrepreneurs launch their AI ideas

Wednesday, March 27, 2024

They built this in 2 months 👀 ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Digging into Marissa Mayer’s newest app

Wednesday, March 27, 2024

Plus a snake robot on Saturn's moon View this email online in your browser By Alex Wilhelm Wednesday, March 27, 2024 Welcome to TechCrunch AM! Today we have notes on Marissa Mayer's new app,