Imperva: Serverless shouldn’t mean security-less

Cloud-centric software application developers (Ed: Is there any other kind?) have been driven to the world of serverless development for its promise of backend freedom, if you will pardon the expression.

As TechTarget reminds us, serverless computing is part of the so-called NoOps movement (no need for human Operations, more resources are automated), but it does not eliminate servers, but instead seeks to emphasise the idea that computing resource considerations can be moved into the background during the design process.

“[With serverless] developers can drop in code, create backend applications, create event handling routines and process data – all without worrying about servers, virtual machines (VMs) or the underlying compute resources because the actual hardware and infrastructure involved are all maintained by the provider,” notes SearchITOperations.

But there’s still an issue, have we thought about serverless application security engineering?

Silicon Valley based Imperva has highlighted its Imperva Serverless Protection product in this space.

This is software tool designed to find vulnerabilities created by misconfigured apps and code-level security risks in serverless computing environments.

AWS Lambda layer

Designed with the developer and security team in mind, the new product is ‘easily deployed’ as an AWS Lambda layer, protecting functions without changing code. Built on Amazon Web Services (AWS), Imperva Serverless Protection is an integrated tool within AWS Lambda Extensions.

The integration are intended to give developers faster access to this Imperva offering, to provide an additional layer of security for their AWS Lambda environment.

“We see hundreds of thousands of customers of all sizes embrace serverless applications to quickly deliver value to their customers,” says Holly Mesrobian, general manager, AWS Lambda, AWS.

Developers are increasing adoption of serverless functions that offer lower costs, less configuration and faster deployment.

However, “Through 2022, 80% of successful attacks on serverless [Platform-as-a-Service] PaaS will have a root cause of misconfiguration or the use of known vulnerable code due to immature tools and processes,” wrote Neil MacDonald, vice president and distinguished analyst at magical technology research firm Gartner, in a March 2020 report, “Security Considerations and Best Practices for Securing Serverless PaaS”.

It’s a lifecycle commitment

Indeed, at the time of his writing, MacDonald called for new approaches and techniques for securing serverless that will be required and should be designed using a lifecycle approach, starting in development and carrying through into operations.

Imperva Serverless Protection secures serverless functions from vulnerabilities embedded in first and third-party code — the underlying risk factor that can trigger a software supply chain attack. It effectively monitors and blocks vulnerabilities without elaborate or manual steps involved.

“Traditional security technologies are not designed to get visibility into and provide protection for ephemeral workloads like serverless functions. Customers require the combination of protection at the function, contextual awareness and high performance. Additionally, customers are not interested in modifying their workloads or changing code to support security functions. Imperva Serverless Protection was created exactly to solve these needs,” says Kunal Anand, chief technology officer, Imperva.

Imperva Serverless Protection runtime monitoring gathers log-level information to provide forensic detail so security teams can fully understand the context of every attack with virtually no impact on latency. It also identifies and maps third-party dependencies used during runtime.