One in five serverless apps has a critical security vulnerability

Serverless computing is an emerging trend that is likely to explode in popularity this year. It takes the idea of a smaller server footprint to the next level. First, there were virtual machines, which ran a whole instance of an operating system. Then they were shrunk to containers, which only loaded the bare minimum of the OS required to run the app. This led to a smaller footprint.

Now we have “serverless” apps, which is a bit of a misnomer. They still run on a server; they just don’t have a dedicated server, virtual machine, or container running 24/7. They run in a server instance until they complete their task, then shut down. It’s the ultimate in small server footprint and reducing server load.

Audit of serverless apps finds critical security flaws

And like all emerging technologies, security seems to be an afterthought. An audit from a firm specializing in serverless application security has found one in five serverless apps has one form or another of a critical security flaw, allowing attackers to manipulate applications and perform various malicious actions.

According to the audit of more than 1,000 apps by Israeli security firm PureSec, most vulnerabilities and weaknesses were caused by copying and pasting insecure sample code into real-world projects, poor development practices, and lack of serverless education. This is the kind of bad behavior you really don’t expect to see from professional developers.