Contrast Security has expanded its Contrast Application Security Platform to add serverless to its list of approaches, which previously included code scanning, application security testing, open source security and runtime protection.
Citing its own State of Serverless Application Security Report, Contrast said in a statement that “more than 70% of respondents report that six or more of their development teams now work on serverless applications,” and Steve Wilson, chief product officer at Contrast Security, said that Contrast Serverless Application Security was driven in large part by customer demand.
“We have hundreds of large enterprise customers who last year really started telling us that they needed support for these serverless environments,” said Wilson, noting that the move to serverless is one that is happening more and more as companies modernize their application. “One of our beta customers was rewriting a set of applications for their IoT infrastructure — and that’s a classic type of application that really benefits from a serverless environment — so as they were upgrading that to really be cloud native, they were starting to take advantage of function as a service on Amazon, and really asking us to help bring some tooling there where we could provide that security assurance to them.”
New Security Challenges
Calling this move to serverless “one of the biggest shifts in application development since enterprise Java and the application server,” Wilson explained that it presents new security challenges for companies making the shift.
“It allows you to create very data-intensive, large-scale applications for a fraction of the cost of doing it the old way, and it’s become very popular, but one of the challenges is it’s a very different way to structure your applications,” he said. “Enterprises across the industry depend on application security testing tools to help inspect their code prior to shipping their applications, but none of these tools work in the serverless environment.”
Contrast Serverless Application Security has been in the works for over a year now, with Contrast Security acquiring CloudEssence late last year as part of this effort and much of that past year spent building its technology into the platform.
Adding Security Early
While Contrast Security is not the first company to take on security for serverless applications, it says that it differentiates by not focusing on runtime security, but focusing instead on providing security earlier in the software development life cycle, with three primary features.
“What this does is inspect this new class of programs based on cloud serverless technologies, and again, do what we do for other environments, which is thoroughly inspect and test your serverless functions in an automated way to find possible security vulnerabilities and then give your developers very directed feedback on what they need to do to fix them,” said Wilson.
First, Contrast Serverless Application Security performs dynamic environment scanning, which runs automatically based on any specific updates introduced to the testing environment in real time. Wilson explained that serverless functions are susceptible to many of the same attacks you would see elsewhere, especially given their access, which is why these scans are based on the OWASP Top 10 benchmarks, which include risks such as SQL injection, code injection, command injection and local file inclusion.
“The key thing that you’re trying to defend, and almost regardless of what the technology is, is defending the access to your data,” Wilson said. “These serverless functions, often their primary reason for being is to quickly insert or extract data from your databases. The particular transaction may be short-lived, but they have very broad access into other parts of your infrastructure, and so the classic types of vulnerabilities that we see in app server-based programs, like injection attacks, for example, are all still possible in a serverless environment.”
Next, Contrast Serverless Application Security performs resource mapping, wherein it automatically discovers resources such as S3 buckets, API gateways and databases, and their relationships to your environments. Finally, Contrast performs code scanning to uncover vulnerabilities such as over-permissive functions or vulnerabilities introduced by open source dependencies.
At launch, Contrast Serverless Application Security will work for Amazon Web Services‘ Lambda serverless service, but Wilson said that Azure and Google Cloud were on the roadmap.
Amazon Web Services is a sponsor of The New Stack.