And here is the list of top Lambda security risks:
1. Function event data injection: Injection flaws in applications are one of the most common risks and can be triggered not only through untrusted input such as through a web API call but due to the potential attack surface of serverless architecture, can also come from cloud storage events, NoSQL databases, code changes, message queue events and IoT telemetry signals, among others.
2. Broken authentication: Applications built for serverless architectures often contain dozens -- or even hundreds -- of serverless functions, each with a specific purpose.
These functions connect together to form overall system logic, but some of these functions may expose public web APIs, others may consume events from different source types, and others may have coding issues ripe for exploit and attacks, which lead to unauthorized authentication.
3. Insecure serverless deployment configuration: The security firm found that incorrect settings and the misconfiguration of cloud services are a common theme. This, in turn, can provide an entry point for attacks against serverless architectures, the leak of sensitive, confidential information, and potentially Man-in-The-Middle (MiTM) attacks.
4. Over-privileged function permissions and roles: Serverless applications -- and enterprise systems as a whole -- should follow the principle of "least privilege."
5. Inadequate function monitoring and logging: The reconnaissance phase of an attack, where threat actors attempt to gain intel on a network's defenses and weaknesses, is also a crucial point for cybersecurity solutions to detect suspicious behavior and shut it down.
6. Insecure third-party dependencies: When serverless functions rely on third-party software, such as open-source packages and libraries, if vulnerabilities are present, these can pave the way for exploit.
7. Insecure application secrets storage: Many apps require "secret" information to be encrypted and stored, such as API keys, passwords, configuration settings, and database credentials.
8. DDoS attacks, resources stretched to the limit: According to the study, distributed denial-of-service (DDoS) attacks pose a serious risk to serverless architecture as there may be memory allocation, duration per function, and execution limits.
9. Serverless function execution flow manipulation: Attackers may be able to subvert application logic by tampering with application flows, leading to access control bypass, privilege escalation or denial-of-service attacks.
10. Improper exception handling and verbose error messages: Line-by-line debugging services for serverless architecture are often rather limited. As a result, some developers adopt verbose error messages, enable debugging after the fact, and they may forget to clean the code when it is moved to production.
Reference: OWASP/ PurSec
1. Function event data injection: Injection flaws in applications are one of the most common risks and can be triggered not only through untrusted input such as through a web API call but due to the potential attack surface of serverless architecture, can also come from cloud storage events, NoSQL databases, code changes, message queue events and IoT telemetry signals, among others.
2. Broken authentication: Applications built for serverless architectures often contain dozens -- or even hundreds -- of serverless functions, each with a specific purpose.
These functions connect together to form overall system logic, but some of these functions may expose public web APIs, others may consume events from different source types, and others may have coding issues ripe for exploit and attacks, which lead to unauthorized authentication.
3. Insecure serverless deployment configuration: The security firm found that incorrect settings and the misconfiguration of cloud services are a common theme. This, in turn, can provide an entry point for attacks against serverless architectures, the leak of sensitive, confidential information, and potentially Man-in-The-Middle (MiTM) attacks.
4. Over-privileged function permissions and roles: Serverless applications -- and enterprise systems as a whole -- should follow the principle of "least privilege."
5. Inadequate function monitoring and logging: The reconnaissance phase of an attack, where threat actors attempt to gain intel on a network's defenses and weaknesses, is also a crucial point for cybersecurity solutions to detect suspicious behavior and shut it down.
6. Insecure third-party dependencies: When serverless functions rely on third-party software, such as open-source packages and libraries, if vulnerabilities are present, these can pave the way for exploit.
7. Insecure application secrets storage: Many apps require "secret" information to be encrypted and stored, such as API keys, passwords, configuration settings, and database credentials.
8. DDoS attacks, resources stretched to the limit: According to the study, distributed denial-of-service (DDoS) attacks pose a serious risk to serverless architecture as there may be memory allocation, duration per function, and execution limits.
9. Serverless function execution flow manipulation: Attackers may be able to subvert application logic by tampering with application flows, leading to access control bypass, privilege escalation or denial-of-service attacks.
10. Improper exception handling and verbose error messages: Line-by-line debugging services for serverless architecture are often rather limited. As a result, some developers adopt verbose error messages, enable debugging after the fact, and they may forget to clean the code when it is moved to production.
Reference: OWASP/ PurSec
Comments