Serverless Functions Require Serverless Security

Many organizations are using serverless functions, with the CNCF 2019 survey reporting 41% of respondents using serverless in their stack.

Developers find that using serverless functions removes the toil of dealing with servers, operating systems, or other infrastructure, allowing them to focus on business logic and value.

The simplicity, scalability, and pay-per-use cost model is another benefit that has appeal beyond development. What does this mean for the security team tasked with minimizing business risk, but not at the expense of speed and developer productivity?

What is Serverless: Basic Function Architecture and Execution

Serverless represents the current end state of many cloud providers' ambitions: “leave your servers, networks, and operating systems behind, just bring us your business logic and code”.

Serverless allows developers to create discrete, event-driven code snippets called functions that are abstracted from the underlying compute infrastructure, executed on-demand and billed per execution (or really per millions of executions).

Serverless removes the need to worry about servers, operating systems, scalability, and, to a point, availability. Serverless functions are triggered by an event, such as an HTTP request, a stream event, or an IoT message. The serverless function then executes, performs its function, and essentially, dies, while a fractional cost is added to the customer’s bill. The underlying serverless framework is responsible for allocating resources, routing requests and terminating the compute component that performs the function. Done correctly, it can be an elegant and cost effective way to build an application.

Serverless Cannot Be Security-Less

The abstraction that serverless provides shifts the shared-security model another couple of levels in the customer’s favor. In a virtual machine based architecture, the customer is responsible for the security of the underlying operating system and software runtime environment. Not so in serverless, where these components are handled by cloud service provider.

On the surface, this might look like the removal of a large security burden, but in reality most of the critical risks in serverless security still fall clearly within the domain of the developer and their partners in the security team.

The same risks, such as injection attacks, insecure third-party libraries, over-privileged permissions, and DDoS attacks are as prevalent in serverless applications as anywhere else.

Serverless functions have the same needs for visibility and vulnerability management, access control, and continuous compliance as any compute platform.

What has to change, however, are the tools used to protect your serverless applications.

Unit 42 Cloud Threat Report:

Protecting Serverless Functions: A New Approach with Prisma Cloud

Traditional workload security solutions were designed decades before serverless became widely adopted. It’s no wonder they can’t scan serverless functions for vulnerabilities, provide runtime protection, or interrogate cloud configurations. With serverless functions, your security solutions must be both integrated within the platform and embedded in the serverless function itself.

Vulnerability Management and Compliance

Prisma Cloud scans function zips as part of any CI workflow and continuously monitors functions stored in any cloud repository, just like we do for container images. Users see detailed vulnerability status of libraries within the function, along with associated risk factors, and compliance information, including overly permissive API usage, secrets keys stored in the function, and broad API access.

Prisma Cloud integrates with your cloud providers’s API to perform compliance checks on serverless functions, looking for common misconfigurations such as poor secret management, or overly permissive service accounts. These checks are performed regularly using rulesets update based on Palo Alto Networks threat research findings.


For running functions, Prisma Cloud provides a real-time view of related triggers and services leveraged by the function. Users can easily see the S3 buckets or API gateways functions connected with a DynamoDB databases or CloudWatch log services accessed by the application.

Runtime Protection

Prisma Cloud provides runtime protection with a specific Serverless Defender that users embed inside their functions. This specifically isolates processes that the function can run, network connections, and filesystem access, providing a powerful tool to detect and prevent attacks.

Prisma Cloud gives you the visibility, protection, and control you need to protect serverless applications.