Serverless is a new computing mode of the cloud native architecture, mainly taking the form of function as a service (FaaS). For the serverless mode, developers will write a function and define when and how to invoke it and then the function will run in the server provided by the cloud provider. All developers need to do is write and maintain a section of function code.
Serverless, though bringing convenience to developers, draws great attention due to its security risks. Application code security, data privacy, access permissions, and service segregation are all major security challenges faced by the serverless mode.
Injection Attacks Against Application Code
Applications are vulnerable to SQL injection, system command execution, and other risks if they do not filter external data or lack code checks. During traditional application development, developers can identify malicious input sources among a limited number of possibilities, according to their practical experience. Function invocations in serverless mode, however, are triggered by event sources and unknown input sources make it impossible for developers to spot malicious sources.
Generally, if a function subscribes to an event source, this function is triggered by the occurrence of an event from this source. Such event may be initiated by a FaaS platform or an unknown source. Unknown event sources are marked as untrusted. During actual application scenarios, if developers are not used to sorting out event sources, they will mistake untrusted sources for FaaS platforms and consider their input as trusted, thus receiving a large number of injection attacks from them.
Attacks Against Application Dependency Libraries
Developers will inevitably introduce third-party dependency libraries when writing applications. Here comes a serious issue — whether developers use vulnerable dependency libraries.
Synk revealed in its open-source software security report[i] in 2019 that the number of security vulnerabilities in known applications increased by 88% over the past two years. A function written by developers, though merely dozens of secure code, will be definitely insecure as long as a vulnerable dependency library is used.
Attacks Against Access Permissions of Applications
Attacks against application access permissions also occur in serverless scenarios, for example, attackers’ gaining functions’ access to resources or triggering function execution events. A serverless application may consist of many functions, involving a variety of function access permissions and a lot of permission mappings between functions and resources. Besides, many developers may carelessly configure the same permissions and roles for all functions, possibly leading a single vulnerability to put the entire application at security risks. Apparently, efficient permission and role management is a cumbersome issue for serverless applications.
Denial-of-Service Attacks Against Serverless Platform Accounts
One of major features of Serverless is automated flexible scalability. Developers merely need to pay for the number of function invocations, while leaving the flexible function scalability to be done by cloud vendors. This feature is one of the reasons why Serverless gains popularity. However, there is no limit on the fees incurred for this feature.
If attackers take control of the event trigger and invoke considerable function resources through APIs, functions will scale at an extremely rapid rate and therefore the costs entailed will increase exponentially, resulting in a significant loss to developers.
Therefore, serverless’s secure development requires concerted efforts of serverless service providers and application developers.