Serverless
architectures
are
increasingly
popular,
as
the
cloud
provider
does
most
of
the
heavy
lifting,
allowing
developers
to
focus
on
building
and
running
their
apps.
But
this
popularity
has
attracted
the
scrutiny
of
threat
actors.
Although
serverless
environments
have
a
relatively
reduced
attack
surface,
with
certain
responsibilities
shifted
to
the
cloud
provider
(CSP),
users
must
be
careful
not
to
introduce
extra
risk.
This
could
happen
if
they
write
insecure
code,
misconfigure
assets
or
fail
to
properly
secure
endpoints.
Through
exploitation
simulations
of
user-provided
code
vulnerabilities,
we
evaluated
infected
serverless
environments
on
Microsoft
Azure.
In
the
process,
we
identified
sensitive
environmental
variables
inside
the
Microsoft
Azure
environment,
leaving
opportunities
for
malicious
actors.
We
found
two
critical
issues:
1.
Some
crucial
secrets
for
Azure
serverless
environments
are
stored
inside
“environment
variables.”
These
variables
are
present
in
every
process
and
inherited
by
default,
significantly
increasing
the
chance
of
exposure.
Just
one
exploited
vulnerability
in
one
process
could
lead
to
a
full
compromise
of
the
serverless
environment.
2.
If
Azure
customers
use
a
master
key
for
SSH
access,
it
will
allow
attackers
to
escalate
privileges
inside
a
container
with
a
known
password.
Users
must
deploy
public
key
cryptography
for
authentication
to
SSH
to
stay
secure.
Azure
users
should
remember
that
they
are
responsible
for
implementing
security
best
practices
and
policies
to
supplement
Microsoft’s
default
security
measures.
Application
code
is
particularly
important
as
it
could
serve
as
an
entry
point
for
attackers
if
not
properly
secured,
the
report
revealed.
We
recommended
the
following
for
Azure
serverless
users:
-
Follow
the
CSP’s
recommendations
for
securing
environments
and
projects -
Use
vaults
to
store
keys
and
passwords,
even
if
it
incurs
additional
cost -
Use
custom
images,
which
provide
more
opportunities
for
out-of-the-box
solutions
and
additional
security -
Use
encrypted
channels
and
pipelines
to
lock
the
values
of
the
variables
and
ensure
sensitive
information
(e.g.,
passwords
and
IDs)
remain
secret,
even
in
the
case
of
unauthorized
access. -
Follow
Zero
Trust
tenets
to
“assume
breach”
and
minimize
the
impact
of
an
attack
stemming
from
vulnerability
exploitation. -
Follow
the
principle
of
least
privilege
by
using
a
non-privileged
user
for
containers
and
applications,
using
managed
identities
and
roles,
and
limiting
public
endpoints
of
linked
cloud
services.
Also,
consider
using
safer
mechanisms
for
generating
and
managing
secrets,
such
as
passwords
and
API
keys. -
Audit
and
secure
all
out-of-the-box
solutions
by
performing
third-party
reviews
and
following
vendors’
best
practices
for
security
We
strongly
urged
organizations
using
serverless
computing
services
to
understand
and
exercise
their
responsibility
for
securing
these
environments.
To
read
a
full
copy
of
the
report,
The
State
of
Serverless
Security
on
Microsoft
Azure,
please
visit:
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/exploring-potential-security-challenges-in-microsoft-azure