Serverless Security

Secure serverless functions across the full application lifecycle.

Request a Trial

Serverless functions are event driven code snippets running on completely managed infrastructure. This allows developers to focus purely on the code. However, these applications are still vulnerable to attacks and require purpose-built security.

Learn more about best practices for securing functions on AWS Lambda.

Serverless comes with new attack vectors

Serverless functions have many of the same Layer 7 attack vectors as applications in other form factors, but they also include new APIs and permissions that are unique to serverless functions. Knowing how to find and secure these architectures can be a challenge.

Batch reviews break agile processes

DevOps teams deploy and iterate at a rapid pace. Patching is most likely to happen if feedback comes prior to runtime. Unless security is embedded in the development process, reviews will decrease velocity.

Functions are short-lived and event-driven

Serverless functions are applications that are event-driven, single-purpose units, creating more to protect in shorter bursts. Traditional security tools were not designed to provide on-demand, lightweight visibility and protection, adding unnecessary overhead.

Serverless applications deserve serverless security

Prisma® Cloud is purpose-built to deliver full lifecycle serverless security for AWS Lambda, Azure Functions and Google Cloud Functions. Identify vulnerabilities and compliance violations during development, and protect running functions from nefarious activities as well as web application and API attacks.

Support for serverless across AWS, Azure and Google Cloud
Integrated security as part of the full application lifecycle
Visibility and protection across serverless environments

Vulnerability management
Compliance
CI/CD and repository scanning
Runtime visibility
Runtime defense

THE PRISMA CLOUD SOLUTION

Our approach to Serverless Security

Vulnerability management

Securing functions begins with understanding and controlling the vulnerabilities in packages being deployed and running. Prisma Cloud scans and continuously monitors functions for vulnerabilities. Start with integrated CI tooling and serverless repositories, and continue through runtime for a full lifecycle view.

Prioritize top vulnerabilities across functions

Identify the highest priority vulnerabilities based on risk score and exposure across functions as well as Lambda Layers in your repository and runtime.
Leverage remediation guidance to patch quickly

Vulnerabilities identified include package information and fix guidance.
Block functions that fail risk level

Leverage CI integrations and runtime protections to fail builds and prevent deployments of functions with vulnerabilities that don’t meet your risk levels.
Continuously assess the posture of your repositories

Get an up-to-date overview of the vulnerabilities in your functions as Prisma Cloud continuously scans repositories against our vulnerability database.

Learn more

Function compliance

Serverless applications may not provide access to their underlying infrastructure, but there are still misconfigurations that can expose a function to attacks. Prisma Cloud identifies misconfigurations, including private keys stored in function zips or broad resource access, prior to and after deployment.

Reduce the attack surface

Identify and remediate overly permissive and unused permissions and APIs to minimize ways for attackers to take advantage of functions.
Prevent misconfigured functions from deployment

Scan serverless applications for misconfigurations in continuous integration builds and repositories to block misconfigured functions.
Refine the checks in place

Enforce individual or group-based control over which compliance violations create an alert and which are blocked.
Identify compliance violations in production

Aggregate and view all compliance violations across running functions in your environment.

Learn more

CI/CD and repository scanning

Identifying security concerns as early as possible decreases the friction to get them addressed. Developers are notified about vulnerabilities and misconfigurations in their DevOps tooling, with remediation guidance, to harden and secure their functions.

Integrate with popular tooling

Take advantage of vulnerability and compliance scanning through integrations with CI tools and for Git repositories.
Provide feedback and guardrails

Set thresholds for alerting and blocking builds and deployments of functions with high-severity vulnerabilities and misconfigurations.
View posture and trends of built and stored functions

Gain a comprehensive look at all builds over time, with risk prioritization based on risk scores and actual exposure.
Support for leading public cloud repositories

Continuously monitor functions stored in repositories on AWS®, Azure® and Google Cloud.

Learn more

Runtime visibility

Functions are event-driven and only start when triggered. Prisma Cloud identifies and automatically secures functions running in your cloud environments.

Visualize function triggers and permissions

View related triggers and service permissions, such as API Gateways, CloudWatch and S3 buckets.
Automatically detect and protect serverless functions

Automatically deploy an embedded agent as a function layer from the console or API.
View up-to-date vulnerability and compliance exposure

Continuously scan active functions to surface risk-ranked vulnerabilities and misconfigurations.

Learn more

Runtime defense

Serverless functions range from single-purpose to full web applications and are highly ephemeral. Prisma Cloud protects these environments with runtime protection and web application and API security from an embedded agent.

Monitor and trace anomalous events

Easily harden your function runtime perimeter to alert or block on anomalous and known-bad events.
Customize allow and block lists

Create allow and block lists for processes, networking and file system behavior based on Prisma defaults or function-specific settings.
Get serverless Web Application and API Security

Use the same agent that identifies runtime events to protect against web application and API attacks.
Centralize security controls across application types

Gain a unified platform to secure serverless functions and container-based applications, simplifying the security of diverse environments.

Learn more

Prisma Cloud

Prisma^® Cloud is the industry’s most complete Cloud Native Application Protection Platform (CNAPP), with the industry’s broadest security and compliance coverage—for infrastructure, workloads, and applications, across the entire cloud native technology stack—throughout the development lifecycle and across hybrid and multicloud environments.

Learn more

Cloud Workload Protection modules

Host Security

Secure virtual machines (VMs) on any public or private cloud.

Learn more

Container Security

Secure Kubernetes and other container platforms on any public or private cloud.

Learn more