21% Serverless Apps Have Critical Security Flaw

April 16, 2018

An evaluation of one thousand open-source serverless projects conducted by the Puresec threat research team revealed that 21% of them contained one or more critical vulnerabilities or misconfigurations, which could allow attackers to manipulate the application and perform various malicious actions. 6% of the projects even had application secrets, such as API keys or credentials, posted in their publicly accessible code repositories.

According to the audit, most vulnerabilities and weaknesses were caused by poor development practices, lack of serverless security education, and by copying and pasting insecure sample code into real world projects.

This comes as PureSec, the world's only company to offer a serverless security runtime environment (SSRE), today announced the launch of its Beta solution for AWS Lambda customers - just a month after AWS announced PureSec as the only AWS Lambda Security Partner.

PureSec's SSRE platform is designed exclusively for serverless applications and can defend against application layer attacks such as NoSQL/SQL injections, remote code execution, attempts to subvert function logic and unauthorized malicious actions. Using PureSec's SSRE, all the vulnerabilities discovered in the audit above would have been blocked and mitigated during runtime, or detected and fixed through the PureSec CI/CD integrated code and configuration scanning.

Founded by security veterans Shaked Zin (CEO), Avi Shulman (VP of Engineering) and Ory Segal (CTO), PureSec raised $3 million in May 2017 in a seed round led by TLV Partners and Entree Capital.

Responsibility for the security of the serverless infrastructure, such as physical security, network security or operating system patches falls on the serverless provider. The application owner, however, is still completely responsible for application logic, code, data and application-layer configurations, ensuring they are secure, hardened and able to withstand attacks.

"The results of Puresec's audit are jarring but not surprising as organizations adjust to the unique challenges of serverless application security," said Ory Segal, PureSec Chief Technology Officer and Co-Founder. "The traditional models of application security and cloud workload protection solutions aren't effective for serverless architectures. PureSec's serverless security runtime environment (SSRE) was developed to meet the new challenge of securing applications using serverless solutions like AWS Lambda. Our integrated security platform protects serverless applications against both known and unknown threats."

For a closer look at the types of vulnerabilities discovered by Puresec, read "Serverless Security Top 10 Most Common Weaknesses 2018 (pdf)"

* Additional data points

  • The percentage of vulnerabilities discovered was consistent across runtime languages. With the choice of runtime ruled out as a factor, human error was left as the cause for the vulnerabilities.
  • DotNet runtimes were the exception. DotNet projects experienced significantly higher levels of vulnerabilities.


Vuln %













Terms of Use | Copyright 2002 - 2018 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement