Introducing Snyk for Serverless

Guy Podjarny's avatar Guy Podjarny

Today we’re excited to announce Snyk’s new solution for securing your serverless functions, designed to easily integrate and protect serverless-based applications! The initial launch features tight integration with both AWS Lambda and Heroku. We’re also working closely with Google, Red Hat and others to integrate directly with their platforms in the coming months.

Screenshot of the Snyk Integrations page where you can choose with serverless platforms to monitor

Why Is Securing Serverless Different?

Serverless (FaaS) and PaaS approaches provide a big boost for developer productivity. By moving the infrastructure concerns to teams of dedicated experts, developers are free to spend more time working on code that directly contributes to their core product. This, in turn, pushes many of the security concerns in such infrastructure to the platform, dramatically mitigating risks such as unpatched servers, compromised servers and more.

However, by crippling these attack vectors, Serverless draws attackers to the next easiest way in—vulnerable application dependencies. These open source packages, pulled from repositories such as npm, Maven, PyPI and others, are just as prevalent and just as vulnerable as the binaries we often patch. FaaS and PaaS platforms manage and secure the server dependencies, but do not manage nor secure vulnerable packages pulled in by your app.

Snyk helps address this gap, continuously monitoring your dependencies hidden inside your functions and apps for vulnerabilities (and soon license issues!).

Securing your serverless applications

The new serverless support lets you monitor the code you’ve deployed to AWS Lambda or Heroku for any known vulnerable dependencies—with more platforms coming very soon. For each platform your code is deployed to, after entering the relevant API keys, you can choose the functions and applications to monitor continuously.

Snyk will then communicate directly with the platform, using its API, to determine what dependencies are currently deployed for each function or app, and then scan them against our vulnerabilities database for known vulnerabilities. You’ll be given a detailed report of all vulnerabilities as well as guidance on how to remediate them.

You’ll also be able to tell Snyk how frequently you would like to test each function for newly disclosed vulnerabilities that impact it. If one is found, you will be notified (via email and Slack) and can take action immediately.

A screenshot of the UI for setting how frequently you want your serverless application tested for security by Snyk

Isn’t monitoring source code enough?

Quite clearly, deployed code was previously source code, and so addressing vulnerable dependencies as part of your development process is an excellent way to reduce the likelihood of deploying a vulnerability in the first place. In addition, finding issues during dev makes fixing those issues far easier.

However, securing source code isn’t enough. The path from source code to deployed code isn’t always straight, making it hard to know which functions or apps are affected by a source code vulnerability. Also, deployed code always lags behind source, and often still uses old (and potentially vulnerable) dependencies long after the code being developed has updated or patched them.

Tracking vulnerabilities in deployed code is the best way to understand and manage your risk. Addressing these vulnerabilities in your development process lets you quickly fix such issues, as well as prevent them in the first place. You can now use Snyk to secure your code throughout that lifecycle, and we encourage you to do so.

More serverless platforms to come

Serverless is a big boost for developer productivity, but your approach to security must adapt to accommodate it. Now with Snyk’s support for serverless applications, it’s that much easier to stay secure. Secure your Lambda and Heroku apps today!

We’re thrilled to launch with support for both AWS Lambda and Heroku, but there is much more to come. As we mentioned earlier, we’re working very closely with Google, Red Hat and others to directly integrate with their platforms in the coming months. We want to let you monitor your deployed code wherever it may be, continuously and easily.

If you use a platform that you don’t see in the initial launch, let us know, and we will keep you up to date on our plans for it and, if you would like, include you on relevant beta programs.

Serverless Security at Serverless Conf

April 28, 2017

Today Guy Podjarny had the pleasure of presenting at the amazing ServerlessConf in Austin, Texas about security in a serverless world. Here are the slides from his talk, "Serverless Security: What's Left to Secure?"

Serverless Security implications—from infra to OWASP

April 19, 2017

By its very nature, Serverless (FaaS) addresses some of today's biggest security concerns but it doesn't fix it all. This post outlines the top areas where Serverless helps or hinders our security efforts, offering advice on how to address concerns and thoughts on what's to come next.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications