21 percent of open source serverless applications have critical vulnerabilities
Serverless computing is increasingly popular because it eliminates infrastructure concerns. However, a new report raises worries about its security.
According to an audit by serverless security company PureSec, more than one in five serverless applications has critical security vulnerabilities.
An evaluation of 1,000 open-source serverless projects conducted by the PureSec threat research team finds that 21 percent of them contain one or more critical vulnerabilities or misconfigurations, which could allow attackers to manipulate the application and perform malicious actions. Six percent of the projects even had application secrets, such as API keys or credentials, posted in their publicly accessible code repositories.
According to the study, most vulnerabilities and weaknesses are caused by poor development practices, lack of serverless security education, and by copying and pasting insecure sample code into real-world projects.
"The results of PureSec's audit are jarring but not surprising as organizations adjust to the unique challenges of serverless application security," says Ory Segal, PureSec's chief technology officer, and co-founder. "The traditional models of application security and cloud workload protection solutions aren’t effective for serverless architectures. PureSec's serverless security runtime environment (SSRE) was developed to meet the new challenge of securing applications using serverless solutions like AWS Lambda. Our integrated security platform protects serverless applications against both known and unknown threats."
PureSec is the only company to offer a serverless security runtime environment (SSRE), and today announces the launch of its Beta solution for AWS Lambda customers -- just a month after AWS announced PureSec as the only AWS Lambda Security Partner.
You can find out more on the PureSec website.