Kong announced the commercial availability of Kong Konnect Dedicated Cloud Gateways on Amazon Web Services (AWS).
Nearly All Serverless Application Functions at Risk
August 27, 2018
Protego Labs recently discovered that 98 percent of functions in serverless applications are at risk, with 16 percent considered "serious."
Additionally, most of these functions are provisioned with more permissions than they require which could be removed to improve the security of the function and the application.
“When we analyze functions, we assign a risk score to each function. This is based on the posture weaknesses discovered, and factors in not only the nature of the weakness, but also the context within which it occurs,” explains Hillel Solow, CTO, Protego. “After scanning tens of thousands of functions in live applications, we found that most serverless applications are simply not being deployed as securely as they need to be to minimize risks.”
The greatest security posture issues Protego uncovered are unnecessary permissions, while the remainder are with vulnerable code and configurations. Often, extra permissions are a result of developers or security operators using wildcards (“*”) for permissions rather than itemizing exactly which permissions they need.
Supply chain problems are predominantly with third-party libraries or modules that contain known vulnerabilities. Most of the functions with these problems also have access to resources and services they don’t need, making them excellent targets for attackers.
A small percentage of configuration problems include triggers that are unnecessary and functions with long timeouts that could be shortened to minimize the damage an attacker could do if they get access.
“The good news is these are all mitigable issues,” says Solow. “Serverless applications enable you to configure security permissions on individual functions. This allows you to achieve more granular control than with traditional applications, significantly mitigating the risk if an attacker is able to get access. Serverless applications require far more policy decisions to be made optimally, which can be challenging without the right tools, but if done accurately, these decisions can make serverless applications far more secure than their non-serverless analogs.”
Industry News
April 16, 2024
Pegasystems announced the general availability of Pega Infinity ’24.1™.
April 16, 2024
Sylabs announces the launch of a new certification focusing on the Singularity container platform.
April 15, 2024
OpenText™ announced Cloud Editions (CE) 24.2, including OpenText DevOps Cloud and OpenText™ DevOps Aviator.
April 15, 2024
Postman announced its acquisition of Orbit, the community growth platform for developer companies.
April 11, 2024
Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.
April 11, 2024
Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.
April 11, 2024
Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.
April 10, 2024
Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.
April 10, 2024
Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.
April 10, 2024
AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.
April 09, 2024
Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.
April 09, 2024
Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.
April 09, 2024
appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).
April 09, 2024
Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.
