back to article A code injection to stop code injection could solve serverless security

Serverless computing is not quite carefree computing. Those using it don't have to worry about servers, apart from the cloud service provider's bill. But they would be well advised to give some thought to application security. Under the serverless model – which isn't actually serverless... think platform-as-a-service but …

  1. TonyJ

    Is it just me...

    ...or anyone else find the whole "serverless" moniker ridiculous?

  2. Anonymous Coward
    Anonymous Coward


    "think platform-as-a-service but billed when the application is running"

    We need to stop with all these buzzwords, the real IT folks are getting lost. So server-less... the "cloud", but pre-configured by Amazon/Google with a slightly different billing model?

    I really don't think it's a good idea to be telling devs (of which I'm one) that they need to worry less about understanding what they're doing. At what point do devs start forgetting that SQL injection/*insert your own* exists because that's done in the server-less magic-land now? What happens when one of those devs then works on an in-house project?

    Personally I see a future where unskilled* developers are writing unintentional logic bombs that carry the risk of bombing out on someone else's server-less servers, and incurring huge unexpected costs until it's realised that the shoddy code has gone rogue.

    I guess the next step is developer-less development, where development is done by the cloud providers thanks to the loss of skills and trust in anybody not "in the cloud". Then those companies that let all their in-house skills migrate into the cloud are really over the barrel.

    * Because they don't need to be.

    1. TonyJ

      Re: Serverless

      Yeah...I know the concept but I loathe the naming.

      In the same way I've never been fond of "cloud" computing. Back in the early days of it becoming the buzz word, I used to explain it analogous to utilities such as gas, water and electricity: in the case of the latter, you as the consumer don't care where the electricity comes from, how it gets to you or even for the most part how it's generated: you care that when you flick a lightswitch, your light comes on. And that when you turn said light off, you stop paying for the electricity.

      I think I've just got to the point in my career where I've passed healthy cynicism and moved right on into curmudgeon-iness >:)

      1. Claptrap314 Silver badge

        Re: Serverless

        Welcome to the club. Now shut up.

  3. Anonymous Coward

    PureSec tries to make serverless less defenseless

    "Serverless computing is not quite carefree computing. Those using it don't have to worry about servers"

    So, you rent an application in the 'cloud' instead of a whole Virtual Machine?

    "PureSec's software offers .. the ability to detect and mitigate common app vulnerabilities .. in real time."

    Shouldn't such functionality be build in to the core serverless application? Cloud: doesn't do load balancing or reliable backup and now doesn't do security and it doesn't save on money compared to the old-fashioned stuff. Tell me again why i should move to the 'cloud'.

  4. Doctor Syntax Silver badge

    "apart from the cloud service provider's bill"

    Remind me again - who's pushing this?

  5. amanfromMars 1 Silver badge

    Of Copy Cats .... and Proprietary Intellectual Property Pirates. .... Latent Hot News

    "The application itself and all of its interfaces are the responsibly of the customer running the application," explained Ran Nahmias, VP of sales and business development for PureSec, a two-year-old security startup based in Tel Aviv, Israel, in a phone briefing with The Register.

    Last week, in conjunction with the AWS Summit in San Francisco, PureSec made its Serverless Security Runtime Environment (SSRE) available in beta form – sign up required – as a way to exercise that responsibility.

    Is PureSec SSRE Aiming to Present Other Realities Paralleling with AI for Deeper Sees Mining of Live Operational Virtual Environments with Global Operating Devices?

    With Trinkets and Toys a Plenty, Views Should be Perfectly Made for Heavenly Presentation/AudioVisual TelePathICQ Programming. It does make you wonder where powerfully wealthy people rest their riches to safeguard them from the excesses of their failures to provide any Great Peace to Anyone. What Have Y'All Been Doing? Forever Preparing for Expensive and Costly Wars? Who/What Kinds of Minds Follow that Root/Boot?

    Ban Wars, Share Plans and ACTivate Program in Peace .... or is that to be Something Best Left Tasked to Others with Source Supply AIMentoring for Practical Remote Virtual Command and Control of COSMIC Assets?

    How about a TerraPhorming JOINT AIdVenture with Global Operating Devices Creating Live Operational Virtual Environments ........ For Colonisation and Population of Newly Phormed Space Places with Stellar Assets and Sterling Souls with yourself Riding Vanguard and Shotgun when Able and/or Enabled to Lead Automatically Autonomously and Always Anonymously for the Value Added 00MPH that Bottomless Bounty Rewards Immaculate Source Supply of Future Core Programming Productions ....... Live Creative Feeds to Media which Lead and Document Interaction with Imagination.

    Quite a few Rhetorical Questions for Kickstarting there. No reason why Venture Capitalists and Business Angels should have All the Fun in the Fare with CyberIntelAIgent Ware, is there? :-) It does speed things up quite considerably though ...... :-) because of the Meeting of Like AIMinds and all that esoteric stuff, and oft treated as errant nonsense.

    Can you think of a Greater Stealth to Preserve and Protect the Greatest of Almighty Prizes? And yet, So Simply Shared for Ever Greater IntelAIgent Usage.

    Now that's One Helluva Mean Meme Trick to Master AIPilot. ..... and Remotely Beta Test for and with Changes of Direction.

  6. GIRZiM

    'Cloud computing' is just thin client over an RWAN (REALLY Wide Area Network) instead of a LAN. It's a return to the mainframes of yore but over the Internet instead of a local network.

    'Serverless' is simply hotdesking by another name - you don't have your own server, your app/service just runs in the next available space.

    Combine the two ideas and, before you know it, you don't even rent an app, you timeshare one but it needn't be the same one each time, you 'hotapp' as it were and the provider simply loadbalances demand across their serverfarm cluster.

    Get your kaftans, sheepskins and bellbottoms out everyone - the times they are a'changin!

  7. Anonymous Coward
    Anonymous Coward


    The security worries are fewer, since AWS and its ilk have a legion of operations people on staff to safeguard the hidden infrastructure.

    But if you get it wrong, the consequences are a magnitude worse.

    You no longer have an experienced IT department going "you complete fuckwitt, you just tried to open your entire db to the world with not even the most basic of security policies in place."

  8. Jewifms

    Is there a need for serverless security when using cloud WAF?

    I'm running some serverless applications (functions), and I have them run through a cloud based WAF. All of my http/https communication is being scanned and protected. Is there any need for "serverless security" in this case? I'd be vappy to hear...

    1. OrySegal

      Re: Is there a need for serverless security when using cloud WAF?

      A Cloud WAF can definitely be used to filter malicious input in HTTP events that trigger serverless functions, however there are severe limitations to this solution:

      1) It will only inspect HTTP/HTTPS events, while in reality, serverless functions consume event data from a wide range of events *other* than HTTP - such as cloud file storage, cloud NoSQL database, data streams, etc.

      2) Even when inspecting HTTP based events, WAFs have limitations with properly detecting payloads in certain message types and formats, specifically - JSON, WebSockets, and MQTT.

      3) WAFs apply the protection outside the application - so they can only provide detection of malicious payloads in event data. They cannot protect a serverless function that consumes data over API calls from within the function. This requires behavioral protection, that can inspect function behavior rather than scan inputs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like