Going serverless is like farming out mundane tasks to professional dev teams. You get increased flexibility, accelerated innovation, and reduced architecture costs. All these while focusing on core responsibilities and ultimate user experience. Sounds good, right? Too good to be true. Managing a complex infrastructure always comes at a cost. In the case of serverless infrastructure, its distributed nature gives a cyber breach lots of golden opportunities. And it turns out that the major differentiator of serverless is also its archenemy that provides attackers with significantly more points of entry. With that being said, let us dwell on the main five problems that underpin security issues today.

The easiest way to adopt serverless The Ugly Truth About Serverless Data Security   Going serverless is like farming out mundane tasks to professional dev teams. You get increased flexibility, accelerated innovation, and reduced architecture costs. All these while focusing on core responsibilities and ultimate user experience. Sounds good, right? Too good to be true.   Managing a complex infrastructure always comes at a cost. In the case of serverless infrastructure, its distributed nature gives a cyber breach lots of golden opportunities. And it turns out that the major differentiator of serverless is also its archenemy that provides attackers with significantly more points of entry. With that being said, let us dwell on the main five problems that underpin security issues today.   Serverless - Malware Just Found A New Home   In general, many well-known software risks like wrongly configured credentials or SQL injection make a comeback in serverless, but they manifest in a different way.   Risk 1: Function Event-Data Injection   This risk takes place when unreliable or attacker-controlled input is delivered to an interpreter and gets run or evaluated. The main reason for that is that we don’t always make sure the input is of the expected data type. And as most serverless architectures have a myriad of event sources, it is not that hard to spark off a serverless function.   Risk 2: Broken Authentication   Since serverless fosters a microservices-oriented system design, applications often include a large number of functions, each with a unique target.   Being intertwined, these functions create overall system logic. However, some functions may disclose public web APIs, while others ingest events from various source types. So unauthorized access is a no-brainer in this case.     Risk 3: Insecure Serverless Deployment Configuration   Cloud providers offer many customizations and configuration settings to fine-tune them for each unique need or task. Some of these out-of-the-box configuration settings have alarming consequences on the overall security standpoint.   Thus, a popular weak point for cloud-based storage is incorrectly configured cloud storage authentication. And if configurations are left unchecked, it may wreak havoc on your security.   Risk 4: Overprivileged Function Permissions and Roles   Serverless functions have access rights, such as the right to access a database. And if you have many functions, you’ll have the same amount of permissions. In an ideal world, these all should be different rights that are as restricted as possible.   But who has the time to manage a zillion function authorizations? Most often, developers find a shortcut by applying a "wildcard" permission model. In this case, serverless functions may end up in the wrong hands and used for unplanned operations.   Risk 5: Inadequate Function Monitoring and Logging   It’s essential to log and monitor security-relevant events instantly since it helps to uncover intruder attacks and impede data corruption. However, this architecture hosts these functions in a cloud environment, beyond the user's data center borderline.   And although many serverless providers supply highly efficient logging capabilities, these logs are in their basic configuration and often fall short of delivering a full security event audit trail.     Along the same lines, we'd like to express our thanks to Webiny for sponsoring this newsletter. Webiny is a CMS for the serverless era. You can run Webiny in your own cloud on top of the serverless infrastructure. Your data stays with you.   Your Cut’N’Paste Summary   While serverless allows software engineers to give due regard to business logic and omit complex server infrastructures, it has a blot on the landscape. New, unprecedented security challenges like function data injection, insecure deployment configuration, and other beasts can overshadow the bright sides of this architecture.   But we are not spreading fear or slamming serverless. Remember that all these risks can be mitigated, whereas knowing nothing about them is your major weakness.   *** Got a tech story to share with our readers? Everything you've ever wanted to know about how to get published on Hacker Noon - get it here. The easiest way to adopt serverless Copyright © 2021 Hacker Noon. All rights reserved. Our mailing address is: PO Box 2206, Edwards CO, 81632, U.S.A. unsubscribe Click Here To Sponsor A Newsletter by Hacker Noon