Serverless Security: What’s Left to Protect?


The cost savings Serverless offers greatly accelerated its rate of adoption, and many companies are starting to use it in production, coping with less mature dev and monitoring practices to get the monthly bill down. Such a trade off makes sense when you balance effort vs reward, but one aspect of it is especially scary – security.

Key Takeaways

  • FaaS takes on the responsibility for “patching” the underlying servers, freeing you from OS patching
  • Denial of Service (DoS) attacks are naturally thwarted by the (presumed) infinite capacity Serverless offers.
  • With serverless, we deploy many small functions that can have their own permissions. However, managing granular permissions for hundreds or thousands of functions is very hard to do.
  • Since the OS is unreachable, attackers will shift their attention to the areas that remain exposed – and first amongst those would be the application itself.
  • Known vulnerabilities in application libraries are just as risky as those in the server dependencies, and the responsibility for addressing vulnerable app libraries falls to you – the function developer.

Read more at InfoQ