RSA 2014: The "double-edged sword" of disclosing software vulnerabilities
RSA 2014: The "double-edged sword" of disclosing software vulnerabilities
An audit of 1,000 open-source serverless applications carried out by serverless security company PureSec has revealed that 21 percent of such applications feature critical security vulnerabilities that can be exploited by hackers to either manipulate them or to carry out malicious operations.

A serverless application, in the words of serverless expert Mike Roberts, is one that "significantly depends on third-party services (knows as Backend as a Service or "BaaS") or on custom code that's run in ephemeral containers (Function as a Service or "FaaS").

"By using these ideas, and by moving much behaviour to the front end, such architectures remove the need for the traditional 'always on' server system sitting behind an application.

"Depending on the circumstances, such systems can significantly reduce operational cost and complexity at a cost of vendor dependencies and (at the moment) immaturity of supporting services," he adds.

According to PureSec, the serverless security firm that audited 1,000 serverless applications and found critical vulnerabilities or misconfigurations in 21 percent of them, such vulnerabilities arose due to "poor development practices, lack of serverless security education, and by copying and pasting insecure sample code into real-world projects."

"The percentage of vulnerabilities discovered was consistent across runtime languages, with the exception of DotNet projects that experience significantly higher levels of vulnerabilities. With the choice of runtime ruled out as a factor, human error was left as the cause of the vulnerabilities.

"Using PureSec's SSRE, all the vulnerabilities discovered in the audit above would have been blocked and mitigated during runtime, or and also detected and fixed through the PureSec CI/CD integrated code and configuration scanning," the firm said.

The firm also observed that 6 percent of serverless applications even had API keys or credentials posted in their publicly accessible code repositories. Such credentials and API keys can make it a lot easier for a hacker to infiltrate a serverless application and to manipulate it to achieve his objectives.

According to the findings of PureSec's audit, while 42.9 percent of DotNet serverless applications featured critical vulnerabilities, such vulnerabilities or misconfigurations were also found in 20 percent of Go, 19.4 percent of Java, 20.7 percent of Python and 22.6 percent of NodeJS serverless applications.

"The results of Puresec's audit are jarring but not surprising as organisations adjust to the unique challenges of serverless application security," said Ory Segal, the chief technology officer and co-founder at PureSec. "The traditional models of application security and cloud workload protection solutions aren't effective for serverless architectures."

Stating that he personally supports PureSec's attempts to increase awareness of the security risks associated with API usage, Tim Mackey, technical evangelist for Black Duck by Synopsys told SC Magazine UK that serverless application owners must pay attention to any API they consume and assume that without independent validation any number of security issues may be present.

"In addition to the security nature of API execution, recent media coverage of data breaches also demonstrates that anyone consuming an API should be aware of how any data presented will be used and potentially stored," he added.