Research Reveals That 21% of Open Source Serverless Applications Have Critical Vulnerabilities

Did you know that more than one-in-five serverless applications contains critical security vulnerabilities?

In an evaluation of 1,000 open-source serverless projects, the PureSec threat research team revealed that 21% of them contained one or more critical vulnerabilities or misconfigurations, allowing attackers to manipulate applications and perform various malicious actions.

According to the audit, most vulnerabilities and weaknesses were caused by copying and pasting insecure sample code into real world projects, poor development practices, and lack of serverless education. Six percent of the projects even had application secrets, such as API keys or credentials, posted in their publicly accessible code repositories.

Our infographic below highlights some key results:

1 of 5 serverless applications contains critical security vulnerabilities

The percentage of vulnerabilities discovered was consistent across runtime languages, with the exception of DotNet projects that experience significantly higher levels of vulnerabilities. With the choice of runtime ruled out as a factor, human error was left as the cause for the vulnerabilities.

Using PureSec’s SSRE, all the vulnerabilities discovered in the audit above would have been blocked and  mitigated during runtime, or and also detected and fixed  through the PureSec CI/CD integrated code and configuration scanning.

For a closer look at the types of vulnerabilities discovered by Puresec, check out our “SERVERLESS SECURITY TOP 10 MOST COMMON WEAKNESSES GUIDE

Interested to join our beta program? Sign up here.



*** This is a Security Bloggers Network syndicated blog from PureSec Blog (Launch) authored by Ory Segal, PureSec CTO. Read the original post at: https://www.puresec.io/blog/puresec-reveals-that-21-of-open-source-serverless-applications-have-critical-vulnerabilities