Serverless, shadow APIs and Denial of Wallet attacks

In this Help Net Security podcast, Doug Dooley, Chief Operating Officer at Data Theorem, discusses serverless computing, a new area that both DevOps leaders and enterprise security leaders are having to tackle.

Here’s a transcript of the podcast for your convenience.

Hi, my name is Doug Dooley of Data Theorem. We are a leading provider of modern application security and I want to talk a little bit about a new area that both DevOps leaders and enterprise security leaders are having to tackle. The new area is serverless computing.

What is serverless?

We’re going to talk first about what is serverless. Serverless computing is a new application execution model that automates at runtime the orchestration of infrastructure. In other words, when a developer builds a new application, when they build it on top of serverless, there is a capability that essentially automates all of the traditional approaches of having to spin up and scale out a variety of computing, network, storage, databases, etc., all the underlying infrastructure to support and scale up the infrastructure to support the application. Similarly, when the application is no longer in use, scale it all back down.

Advantages and benefits of serverless

The big advantage of what serverless has been delivering for the past four years for applications that have been built on it, are dramatically lower cost because you only pay for when the application is in use, and significantly easier to use because of the skills that you need to orchestrate and automate all of the infrastructure is taken care of by the cloud providers. Specifically, Amazon with Lambda service, Google cloud with Cloud Functions and Microsoft with Azure Functions.

This is a relatively new area in the last four years that has grown in substantial popularity. Just to put a statistic on that, Amazon released data that it took about 10 years for Docker containers to reach about 24% usage by their customer base. Lambda in comparison has reached a similar percentage, 23.5%, in just four years since it was introduced.

Serverless is growing more than twice as fast in popularity of usage among their customer base versus containers. Because of this fast-growing popularity, particularly by developers to take advantage of serverless to make their life easier and to dramatically lower the cost of application development and application execution, it has created some new and interesting challenges for enterprise security.

On the positive side, because there are no traditional servers staying persistent all the time, there is this nice benefit of wiping out, sort of a clean slate on operating systems and compute that support applications. When malware or difficult attacks are happening and staying persistent or even dormant inside of your infrastructure, the positive is with serverless, these things are constantly scaling up and scaling down because ultimately the infrastructure is ephemeral. So, it’s hard for bad applications or malware just to stay hidden in your environment for long periods of time, because it’s all getting cleared out frequently.

Shadow APIs and Denial of Wallet (DoW) challenges

There are some new interesting challenges with this serverless approach. One of them is this concept of Shadow APIs. Because most of these applications are now being built with a microservices architecture, you have these smaller, reusable pieces of software that ultimately support an enterprise application built on serverless.

Most of these microservices are interconnected with one another through a communication via API, typically RESTful APIs. Whether these RESTful APIs are viewed as publicly consumable or private, to be only used to interconnect microservice fabric, either way, once it’s on the public cloud it is inherently accessible and available to any attacker or to any potential malicious software. One of the things that’s starting to happen for the enterprises, they don’t know what they don’t know on the number of APIs that are being published and consumed by these modern applications using serverless.

This is a new challenge from a discovery perspective, to find all of these Shadow APIs that exist in the enterprise environment, and there needs to be new tools and new techniques on how to go about that discovery. That’s one of the new interesting challenges for security when developers are using this new concept of serverless.

The second challenge that is starting to pop up is this new class of attack called Denial of Wallet (DoW). A Denial of Wallet attack is similar to what we know about with Denial of Service. If you have a bad actor or some threat that is going after one of your applications and part of its intent is to bombard it with fictitious requests that busy up your application, what will happen when that application is built on a serverless architecture is that the underlying resources continue to scale up and spin up in order to deal with these increased number of requests.

These requests are intended to potentially take down your service, but because of the nature of the public cloud and services like Lambda and Cloud Functions, they will continue to spin up in order to handle the load. As a result, the cost to the enterprise continues to balloon out of control from a financial perspective to the point where it’s really ultimately hurting the wallet or hurting the bottom line of the company paying that bill for their serverless infrastructure.

Again, we’ve known about DoS for quite a long time, but Denial of Wallet is sort of a new type of attack, a financial attack, that sort of takes advantage of this auto scaling nature of serverless.

These are just two new interesting concepts that enterprise security teams and DevOps teams are now starting to get their arms around from a security perspective when applications are built on serverless, and there are actually several other new challenges.

But we just wanted to highlight and bring attention to the fact that on one hand, serverless has incredible cost advantages and simplicity advantages, and also some interesting security advantages because the application infrastructure ephemerally recreates itself often. But there are these new classes of attacks and these new threats that folks are having to deal with. There are some exciting times happening in security due to serverless, and we need to stay tuned for more innovations coming this way.