Google Cloud Functions Security: Now With FunctionShield Protection


From the early days of PureSec, we’ve been talking about the fact that our technology was designed to be cross-platform, allowing it to run in any kind of serverless environment. PureSec customers can already deploy our serverless security solution for AWS Lambda and Azure Functions, and as of today, we’re excited to release our first security contribution for Google Cloud Function developers – FunctionShield.


What is FunctionShield?

First, a quick overview of FunctionShield for GCF developers:

FunctionShield is a 100% free Google Cloud Functions security library that equips developers with the ability to easily enforce strict security controls on Google Cloud Functions runtime by addressing 4 common use cases:

  1. Disable outbound internet connectivity (except for Google Cloud resources) from the serverless runtime environment, if such connections are not required

  2. Disable read/write on the /tmp/ directory, if such operations are not required

  3. Disable child process execution, if such execution is not required by the function

  4. Disable read access to the function’s handler and prevent source code leakage

In addition to the security protections provided, developers also gain tremendous security visibility when using FunctionShield, even if it’s just set to “alert”. With FunctionShield deployed in your functions, you can quickly get an idea of what your function is executing, who it is communicating with, and whether or not it is writing to disk.

Why Use FunctionShield?

FunctionShield provides developers with the ability to control & harden their serverless runtime environment against malicious actions. One use-case for using FunctionShield is to mitigate the risk involved in using non-trusted open source packages. You can read more about this use-case in a blog post we recently published.

How Does FunctionShield Work?

FunctionShield uses a proprietary behavioral-based runtime protection engine, which enforces the behavior that you define. FunctionShield lives in and around the serverless language runtime. All you have to do is import the library into your code. No function wrapping required. FunctionShield doesn’t wrap your code, or perform any kind of monkey-patching.

Installing & Using FunctionShield

Follow the installation instructions in the FunctionShield web page. Please note that at the moment, FunctionShield for GCF provides supports all available runtimes (Node.js and Python at the time of writing).

Here is a sample Google Cloud Function, which uses FunctionShield and will demonstrate real security triggers:

Logging & Security Visibility

FunctionShield logs are sent directly to your function’s Google cloud logs. Here are a few sample logs, demonstrating the log format you should expect:


 Want to take FunctionShield out for a spin? just click the button: Get FunctionShield

*** This is a Security Bloggers Network syndicated blog from PureSec Blog (Launch) authored by Ory Segal, PureSec CTO. Read the original post at: