'Serverless': Malware Just Found a new Home
source link: https://hackernoon.com/serverless-malware-just-found-a-new-home
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
'Serverless': Malware Just Found a new Home
Official account for all of the HackerNoon newsletters. www.hackernoon.com/u/newsletters
Going ‘serverless’ is like farming out mundane tasks to professional dev teams.
You get increased flexibility, accelerated innovation, and reduced architecture costs. All these awesome perks are included while building the ultimate user experience.
Sounds good, right? Well, it’s too good to be true.
Managing a complex infrastructure always comes at a cost.
In the case of serverless infrastructure, its distributed nature gives a cyber breach lots of golden opportunities.
It turns out that the major differentiator of serverless is also its archenemy that provides attackers with significantly more points of entry. With that being said, let us dwell on the main five problems that underpin security issues today.
Serverless - Malware Just Found A New Home
In general, many well-known software risks like wrongly configured credentials or SQL injection make a comeback in serverless, but they manifest in a different way.
Risk 1: Function Event-Data Injection
This risk takes place when unreliable or attacker-controlled input is delivered to an interpreter and gets run or evaluated.
The main reason for that is that we don’t always make sure the input is of the expected data type. And as most serverless architectures have a myriad of event sources, it is not that hard to spark off a serverless function.
Risk 2: Broken Authentication
Since serverless fosters a microservices-oriented system design, applications often include a large number of functions, each with a unique target.
Being intertwined, these functions create overall system logic. However, some functions may disclose public web APIs, while others ingest events from various source types. So unauthorized access is a no-brainer in this case.
Risk 3: Insecure Serverless Deployment Configuration
Cloud providers offer many customizations and configuration settings to fine-tune them for each unique need or task. Some of these out-of-the-box configuration settings have alarming consequences on the overall security standpoint.
Thus, a popular weak point for cloud-based storage is incorrectly configured cloud storage authentication. And if configurations are left unchecked, it may wreak havoc on your security.
Risk 4: Overprivileged Function Permissions and Roles
Serverless functions have access rights, such as the right to access a database. And if you have many functions, you’ll have the same amount of permissions. In an ideal world, these all should be different rights that are as restricted as possible.
But who has the time to manage a zillion function authorizations? Most often, developers find a shortcut by applying a "wildcard" permission model. In this case, serverless functions may end up in the wrong hands and used for unplanned operations.
Risk 5: Inadequate Function Monitoring and Logging
It’s essential to log and monitor security-relevant events instantly since it helps to uncover intruder attacks and impede data corruption. However, this architecture hosts these functions in a cloud environment, beyond the user's data center borderline.
And although many serverless providers supply highly efficient logging capabilities, these logs are in their basic configuration and often fall short of delivering a full security event audit trail.
Subscribe to HackerNoon’s newsletters via our subscribe form in the footer.
Recommend
-
12
Security firm Kaspersky believes it found new CIA malware ...
-
9
Google took down the applications containing Joker For the past three years, Google Play Store has been home to the infamous "Joker" spyware. A recent
-
17
Crypto DecodedHackers are infecting gamers’ PCs with malware to make millions from cryptoPublished Fri, Jun 25 20216:01 AM EDTUpdated Fri, Jun 2...
-
6
Catalin Cimpanu September 5, 2021 Malware found preinstalled in classic push-button phone...
-
6
We found yet another phone with pre-installed malware via the Lifeline Assistance program Posted: July 8, 2020 by Nathan Collier L...
-
4
Malware Found in UA-Parser-JS NPM Library Popular package compromised in a way that could allow attacker to install password stealing trojans and...
-
12
'BotenaGo' malware found targeting millions of routers and IoT devices
-
5
In a new video from Google, Developer Advocate Alan Kent shares six ways to optimize JavaScript to improve the performance of your website. Kent identifies common performance problems caused by JavaScript and goes over steps you can take to...
-
8
Malware-packed Chinese apps found on Mac App Store Not as safe as Apple likes to claim? By
-
4
IRS-approved tax filing site eFile.com found delivering malware to users for a week
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK