Serverless computing is transforming the way organizations build, ship, automate and scale applications. With no need to worry about infrastructure or who’s going to manage it, developers are free to focus on application development and innovation. The payoffs can be significant:
- Faster time to market: When you reduce operational overheads, development teams can release quickly, incorporate feedback and get to market faster.
- Lower operating costs: By only paying for the resources you use, you’re never over-provisioning.
- Better use of developer time: Built-in service integrations mean more time to focus on building applications instead of configuring them
- Flexibility at scale: Go from zero to full-throttle at peak demand, meeting customer needs faster and more efficiently.
FaaS-ter development cycles
For many organizations, moving to serverless means AWS Lambda. Built by Amazon, it’s the most popular serverless computing service, allowing users to create functions that can be executed without requiring any additional infrastructure.
With no need to manage servers or configure resources, developers are able to release working versions of applications quickly and easily. Additionally, because every application is a collection of functions (rather than a single stack), adding new features, updates, patches or fixes can be done without needing to make changes to the whole application. Lambda functions are widely used for web applications, APIs, task automation, data processing and integration with other AWS services.
While serverless offers multiple advantages over traditional approaches, it also introduces new challenges from a security perspective. When you’re deploying software at such a fast pace, how is this code being protected from attacks? That’s taken care of by the cloud provider, right? Wrong.
What you need to know about moving to AWS Lambda
The key point here is that AWS Lambda operates on a shared responsibility model. In other words: While AWS manages security of the cloud, security in the cloud is the responsibility of the customer.
This is important, because serverless functions introduce new security risks:
New attack vectors: Novel attack vectors, such as event data injection and business logic manipulation, take advantage of the architectural flexibility.
Less relevant vulnerability scans: Because you, the end-user, just owns the application in the stack, vulnerability scanning on first-party code becomes more important.
Security at the pace of development: Development and DevOps teams are taking advantage of serverless functions for speed – to be genuinely effective, your security will have to scale fast.
Securing serverless functions can be challenging. In addition to dealing with ubiquitous and ephemeral workloads, many of the attack vectors themselves are non-traditional: event injection, denial of wallet, and business logic manipulation are just some of the issues you’ll need to take into account. Also, with widespread use of third-party libraries fueling the fast-paced development cycle, even organizations with secure coding practices can struggle to manage risk in the software supply chain. For these new attack vectors, traditional protection mechanisms like perimeter and endpoint security either can’t be deployed or are ineffective.
Serverless warrants a different security approach
High-speed application development needs security that can keep pace – without slowing down updates and launches. Effective approaches to mitigating vulnerabilities within serverless functions include:
- A positive security model (deny by default) that protects code against zero-day attacks without requiring signature updates or machine learning.
- Comprehensive visibility into all serverless functions to eliminate blindspots and protect against vulnerabilities embedded in first and third-party code – the underlying risk factors in a software supply chain attack.
- Protect against the OWASP Serverless risks, including misconfigurations, code-level risks, and injections.
- Automated mitigation to provide security at the pace of development, allowing DevOps and DevSecOps teams to protect without code or configuration changes.
Gain visibility and control over your AWS Lambda functions
AWS Lambda can make a big impact on your organization: learn more about the different approaches to securing those benefits, join Imperva Chief Technical Officer, Kunal Anand, and Director of Technology, Peter Klimek, for our ‘How to Migrate to AWS Lambda Without Overlooking Security’ webinar on July 15th. You’ll learn more about what it means to adopt serverless technology, why organizations need to secure their serverless functions, how to secure your transition to AWS Lambda, and have the opportunity to ask questions.
To make it even easier, Imperva is offering FREE Serverless Protection for AWS Lambda until the end of 2021, giving you the chance to see how comprehensive visibility, automated mitigation and security at the speed of development can transform your AWS Lambda environment. Register today.
Try Imperva for Free
Protect your business for 30 days on Imperva.