Whether you run your infrastructure in house or in the cloud, you’ve probably heard of serverless computing, and how it can make running applications easier and cheaper. But is it all it’s cracked up to be, and is it more secure than running ‘always on’ servers?
Let’s start with the obvious advantages:
No infrastructure to maintain, not even virtual
With serverless computing, you don’t have to worry about provisioning servers, not even virtual ones. Your code runs when triggered, using only the resources needed, and stops when it has completed its function.
No cost when not running
Whether your code is simple or complicated, you are only charged for the time that your code is actually running. You are not paying for resources that you don’t use.
‘Infinitely’ scalable (within limits!)
Your application might run once a day or 10 times a second, but it won’t be sharing ever-depleting compute resource as you would with a provisioned server, even in the cloud with your best attempts at setting scaling. Your code runs in separate instances, each with the resources it needs. If you hit the provider’s limits, there’s probably something wrong!
What could possibly go wrong?
Let’s use an example case:
Your company sells widgets in all colors and sizes, your catalog is 2000 pages long, and it seems nobody wants to read it. You want to give potential customers the information they want in a succinct format, so you create a web contact form where they can choose to receive only selected information.
They enter their details and widget preferences and press ‘OK’. This triggers the running of your serverless application. It copies the contact information to a database, checks your stock inventory, creates a personalized PDF, and emails it to them.
“Dear Carole, thank you for your interest in big blue, small green and tiny red widgets. Here is a catalog of the relevant products we have in stock today.”
I, the prospective widget buyer, am happy that I have been provided just the information I need. You don’t have to worry that if one, ten or a hundred people ask for a catalog simultaneously that it’s going to grind your website to a halt.
And yet, six months later, and things are not going well. You’re not getting any new business. But it seems your competitors at The Other Widget Company seem to be doing just fine.
Here’s what could have gone wrong:
Injection flaws
The email address field wasn’t standardized, and this allowed shell commands to be entered as part of the email address. The application environment variables were leaked, including the API key to the customer database.
Over-Privilege
The application should only be able to add entries to the contacts database using an API call, not read data. However permissions were granted too freely to the application. An attacker got hold of the API key and now has access to all your potential customers’ contact details and their widget preferences.
Insecure third-party Software
A third party piece of software was compromised via an unpatched vulnerability. All the PDFs that are being sent out are infected with malware.
Denial of Service
Someone initialized a huge number of fake requests. You’ve hit your provider’s execution limits and now the application is running too slowly to work. Not only is the next monthly bill likely to be huge, but your actual target customers are being denied access to the website. !
No Audit Trail
Logging has not been set up properly, so there is no audit trail as to who did what, when and from where. That also means there is no forensic information to help the authorities.
Serverless computing means that applications and features can be quick to write, and can be chained together to give powerful and complicated functionality. Combined with zero infrastructure setup and low cost, they’re ideal for many situations.
However they still need to be nailed down. Not only can they be the victim of typical threats facing more traditional setups, they also can introduce new concerns that must be addressed.
To talk about how serverless can work securely for you, contact TBG Security today.