As we’re nearing the end of the year, it’s time to look back and reflect on all the great things achieved during 2018. This year was remarkable for the Serverless security space, for our customers, and for the PureSec team.
Here are our highlights from 2018:january 2018: Serverless Top 10 Guide: we opened 2018 with releasing the first ever Serverless Security Top 10 guide. The guide was a joint effort between many industry thought leaders and the PureSec team, and was very well received by the media and community. Here are just a few notable mentions: ZDnet , SecurityWeek , Serverless.com and DarkReading The Serverless Security Mind-shift: in January we launched a new blog series titled “ Securing Serverless “, which covered many of the obstacles related to application security in serverless, such as the need for serverless-native runtime protections
february 2018: Best Serverless Security Award: PureSec won the “ Best Serverless Security ” award from the Cybersecurity Excellence Award competition. AWS Lambda Security Partnership: in February, PureSec became the first AWS Lambda security partner. This was a significant milestone in our way of establishing and leading the new “serverless security” industry ( Link ) March 2018: Serverless ReDoS Weakness: Our threat research team releases the first ReDoS vulnerability ( CVE-2018-7560 ) related to an NPM package specifically created for use with AWS Lambda ( advisory ) Defining the “Serverless Security Platform”: PureSec defines its vision of what makes a good serverless security solution the 6 principles that guided us in designing our platform april 2018:
How Big Is The Serverless Security Problem? PureSec threat research team ran a survey across 1,000 open-source serverless projects, and exposed that 21% of them contained one or more critical vulnerabilities or misconfigurations, allowing attackers to manipulate applications and perform various malicious actions. ( Link ) Unveiling PureSec Serverless Security Platform for AWS Lambda, v1.0 Beta: for the first time, organizations using AWS Lambda could deploy a serverless-native application security solution, which provides full lifecycle security hardening configurations and IAM permissions, applying event-data inspection against injection based attacks, and providing behavioral protection for functions ( Link ) may 2018: Tech preview of PureSec Serverless Security Platform for Azure Functions: PureSec serverless security platform tech preview for Azure Functions was presented live on stage at the Microsoft Build 2018 conference in Seattle ( Video ) june 2018: Serverless Crypto Jacking: sounds trivial right? well, it wasn’t back then. Our threat research team releases a paper demonstrating how malicious users can abuse weaknesses in serverless code to run crypto-mining malware in serverless-scale (blogpost Link , TheRegister article, TechRepublic article)
The 1st. Serverless Security Survey: in an attempt to gauge the state of serverless security, PureSec conducted a survey among 304 technology professionals and found out that 35% of the companieshave no security guidelines or tools for securing their serverless applications ( RESULTS ) july 2018:
PureSec SSP v1.0 general availability: our flagship product launches and becomes the world’s first serverless-native application security solution ( TechCrunch article) FunctionShield: in an effort to help developers jump on the serverless bandwagon with confidence, we released a free security library for AWS Lambda developers. Using the library, developers can control certain runtime security attributes that were previously impossible to control ( LINK ) Apache OpenWhisk Security Advisory: PureSec threat research team helped secure Apache OpenWhisk (an open source serverless platform) by discovering a critical weakness and providing a security fix. This is probably the first ever CVE related directly to a serverless security platform that was published. ( Advisory , CVE-2018-11756 ,