Baltimore startup Protego is looking to provide security for serverless computing. It’s a new field, and so there’s some education involved.
As CEO Tsion Gonen has told Technical.ly, the company sees lots of promise in the technology, which proponents say allows developers to focus on building code without worrying about certain overhead considerations. The form of cloud computing doesn’t eliminate servers altogether, but takes the requirement to maintain servers out of the equation and allows applications to be scaled automatically.
But as with many technologies, there are potential security vulnerabilities. Plenty of users understand this, but the vulnerabilities in the fledgling area aren’t all fully understood.
“We’ve been asked by many of our customers and by security professionals if there’s a way to test their security and security understanding,” said Protego Labs Head of Security Research Tal Melamed. “Many companies did the transformation to serverless, and the security conversation was there. But, there was no actual way to apply the knowledge and skill and really test it.”
To allow for that learning, Protego created an open source tool. DVSA, or Damn Vulnerable Serverless Application, provides an interface that shows the most common serverless vulnerabilities. The company also donated the tool to OWASP, the Open Web Application Security Project.
The idea is to allow organizations and devs train in securing serverless environments, and provide security professionals a place to test their skills and tools. The testing application includes cloud resources, as well as a back-end with a variety of functions and front-end with authentication and email interaction with users. Within the environment, it allows practitioners to attempt attacks.
“They can first hack, and then the important part is to fix the code, make the app more secure, and check that the exploit doesn’t work anymore,” said Melamed. “I’ve been training both ethical hackers and developers for years and this is the best, and maybe the only, way to really learn about security implications.”
Along with helping developers understand the processes behind serverless security, Melamed also sees it as a tool for students and teachers.
“I hope that by making it open source it could grow and maybe even help discover new security vulnerabilities that we haven’t thought of before,” Melamed said.
It’s not the first open source project from the startup. Last year, Protego Labs also provided a tool called the OWASP Serverless Top 10, which provided a look at the most common server vulnerabilities.-30-