After scanning tens of thousands of functions in live applications, we found that most serverless applications are simply not being deployed as securely as they need to be to minimize risks.
BALTIMORE (PRWEB) July 18, 2018
Protego Labs recently discovered that 98 percent of functions in serverless applications are at risk, with 16 percent considered “serious.” Additionally, most of these functions are provisioned with more permissions than they require which could be removed to improve the security of the function and the application.
“When we analyze functions, we assign a risk score to each function. This is based on the posture weaknesses discovered, and factors in not only the nature of the weakness, but also the context within which it occurs,” explains Hillel Solow, CTO, Protego. “After scanning tens of thousands of functions in live applications, we found that most serverless applications are simply not being deployed as securely as they need to be to minimize risks.”
Protego, the developer of the first comprehensive security solution built for serverless, works by continuously scanning an organization’s serverless infrastructure to help increase its security posture. The Protego Proact component analyzes function roles and permissions and automatically optimizes them to a least privilege policy to minimize the application’s attack surface
The greatest security posture issues Protego uncovered are unnecessary permissions, while the remainder are with vulnerable code and configurations. Often, extra permissions are a result of developers or security operators using wildcards (“*”) for permissions rather than itemizing exactly which permissions they need.
Supply chain problems are predominantly with third-party libraries or modules that contain known vulnerabilities. Most of the functions with these problems also have access to resources and services they don’t need, making them excellent targets for attackers.
A small percentage of configuration problems include triggers that are unnecessary and functions with long timeouts that could be shortened to minimize the damage an attacker could do if they get access.
“The good news is these are all mitigable issues,” says Solow. “Serverless applications enable you to configure security permissions on individual functions. This allows you to achieve more granular control than with traditional applications, significantly mitigating the risk if an attacker is able to get access. Serverless applications require far more policy decisions to be made optimally, which can be challenging without the right tools, but if done accurately, these decisions can make serverless applications far more secure than their non-serverless analogs.”
Protego is backed by a group of security industry investors, including Ron Gula of Gula Tech Adventures, Glilot Capital Partners, and former RSA CTO, Tim Belcher. Earlier this year, the company won the Startup Competition for the most innovative cyber initiative at the Cybertech Tel Aviv 2018 Conference.
Recognizing the inadequacy of traditional application security paradigms, Protego Labs designed the first comprehensive solution built with the unique constraints and opportunities of serverless in mind. Through continuous serverless security posture, dynamic serverless intelligence, and elastic defense, Protego helps organizations achieve control over the security of their applications. For more information, visit https://www.protego.io/.