Search

Serverless Security

Secure serverless functions across the full application lifecycle.
Request a Trial
Serverless Security Hero Front Image
Serverless Security Hero Back Image

Serverless functions are event driven code snippets running on completely managed infrastructure. This allows developers to focus purely on the code. However, these applications are still vulnerable to attacks and require purpose-built security.

Learn more about best practices for securing functions on AWS Lambda.

Read the e-book

Serverless comes with new attack vectors

Serverless functions have many of the same Layer 7 attack vectors as applications in other form factors, but they also include new APIs and permissions that are unique to serverless functions. Knowing how to find and secure these architectures can be a challenge.

Batch reviews break agile processes

DevOps teams deploy and iterate at a rapid pace. Patching is most likely to happen if feedback comes prior to runtime. Unless security is embedded in the development process, reviews will decrease velocity.

Functions are short-lived and event-driven

Serverless functions are applications that are event-driven, single-purpose units, creating more to protect in shorter bursts. Traditional security tools were not designed to provide on-demand, lightweight visibility and protection, adding unnecessary overhead.

Serverless applications deserve serverless security

Prisma® Cloud is purpose-built to deliver full lifecycle serverless security for AWS Lambda, Azure Functions and Google Cloud Functions. Identify vulnerabilities and compliance violations during development, and protect running functions from nefarious activities as well as web application and API attacks.
  • Support for serverless across AWS, Azure and Google Cloud
  • Integrated security as part of the full application lifecycle
  • Visibility and protection across serverless environments
  • Vulnerability management
    Vulnerability management
  • Compliance
    Compliance
  • CI/CD and repository scanning
    CI/CD and repository scanning
  • Runtime visibility
    Runtime visibility
  • Runtime defense
    Runtime defense
THE PRISMA CLOUD SOLUTION

Our approach to Serverless Security

Vulnerability management

Securing functions begins with understanding and controlling the vulnerabilities in packages being deployed and running. Prisma Cloud scans and continuously monitors functions for vulnerabilities. Start with integrated CI tooling and serverless repositories, and continue through runtime for a full lifecycle view.

  • Prioritize top vulnerabilities across functions

    Identify the highest priority vulnerabilities based on risk score and exposure across functions as well as Lambda Layers in your repository and runtime.

  • Leverage remediation guidance to patch quickly

    Vulnerabilities identified include package information and fix guidance.

  • Block functions that fail risk level

    Leverage CI integrations and runtime protections to fail builds and prevent deployments of functions with vulnerabilities that don’t meet your risk levels.

  • Continuously assess the posture of your repositories

    Get an up-to-date overview of the vulnerabilities in your functions as Prisma Cloud continuously scans repositories against our vulnerability database.

Learn more
Vulnerability management

Function compliance

Serverless applications may not provide access to their underlying infrastructure, but there are still misconfigurations that can expose a function to attacks. Prisma Cloud identifies misconfigurations, including private keys stored in function zips or broad resource access, prior to and after deployment.

  • Reduce the attack surface

    Identify and remediate overly permissive and unused permissions and APIs to minimize ways for attackers to take advantage of functions.

  • Prevent misconfigured functions from deployment

    Scan serverless applications for misconfigurations in continuous integration builds and repositories to block misconfigured functions.

  • Refine the checks in place

    Enforce individual or group-based control over which compliance violations create an alert and which are blocked.

  • Identify compliance violations in production

    Aggregate and view all compliance violations across running functions in your environment.

Learn more
Function compliance

CI/CD and repository scanning

Identifying security concerns as early as possible decreases the friction to get them addressed. Developers are notified about vulnerabilities and misconfigurations in their DevOps tooling, with remediation guidance, to harden and secure their functions.

  • Integrate with popular tooling

    Take advantage of vulnerability and compliance scanning through integrations with CI tools and for Git repositories.

  • Provide feedback and guardrails

    Set thresholds for alerting and blocking builds and deployments of functions with high-severity vulnerabilities and misconfigurations.

  • View posture and trends of built and stored functions

    Gain a comprehensive look at all builds over time, with risk prioritization based on risk scores and actual exposure.

  • Support for leading public cloud repositories

    Continuously monitor functions stored in repositories on AWS®, Azure® and Google Cloud.

Learn more
CI/CD and repository scanning

Runtime visibility

Functions are event-driven and only start when triggered. Prisma Cloud identifies and automatically secures functions running in your cloud environments.

  • Visualize function triggers and permissions

    View related triggers and service permissions, such as API Gateways, CloudWatch and S3 buckets.

  • Automatically detect and protect serverless functions

    Automatically deploy an embedded agent as a function layer from the console or API.

  • View up-to-date vulnerability and compliance exposure

    Continuously scan active functions to surface risk-ranked vulnerabilities and misconfigurations.

Learn more
Runtime visibility

Runtime defense

Serverless functions range from single-purpose to full web applications and are highly ephemeral. Prisma Cloud protects these environments with runtime protection and web application and API security from an embedded agent.

  • Monitor and trace anomalous events

    Easily harden your function runtime perimeter to alert or block on anomalous and known-bad events.

  • Customize allow and block lists

    Create allow and block lists for processes, networking and file system behavior based on Prisma defaults or function-specific settings.

  • Get serverless Web Application and API Security

    Use the same agent that identifies runtime events to protect against web application and API attacks.

  • Centralize security controls across application types

    Gain a unified platform to secure serverless functions and container-based applications, simplifying the security of diverse environments.

Learn more
Runtime defense
Prisma Cloud
Prisma Cloud
Prisma® Cloud is the industry’s most complete Cloud Native Application Protection Platform (CNAPP), with the industry’s broadest security and compliance coverage—for infrastructure, workloads, and applications, across the entire cloud native technology stack—throughout the development lifecycle and across hybrid and multicloud environments.
Learn more

Cloud Workload Protection modules

HOST SECURITY

Secure virtual machines (VMs) on any public or private cloud.

Learn more

CONTAINER SECURITY

Secure Kubernetes and other container platforms on any public or private cloud.

Learn more

SERVERLESS SECURITY

Secure serverless functions across the full application lifecycle.

Learn more

WEB APPLICATION & API SECURITY

Protect against Layer 7 and OWASP Top 10 threats in any public or private cloud.

Learn more
Featured Resources

Get more insight into what Prisma Cloud can do for your business

See all resources
White paper

10 Most Critical Security Risks in Serverless Architectures guide

Read the full whitepaper
E-book

Securely enable serverless apps on AWS® Lambda

Download
Blog post

Protect Serverless Functions with Prisma Cloud

Read the blog
E-book

An Executive’s Guide to Protecting Workloads and Data on AW

Download

Customer Stories

Hear how Pokemon, Sabre and ElevenPaths take advantage of Prisma Cloud's full lifecycle security and full stack protection.

Cloud security basics

Learn about DevSecOp trends and get practical tips from developers, industry leaders and security professionals.

The latest from our blog

Start with a piece that focuses on container security with Kubernetes cluster awareness, then dive into the rest.

Get the latest news, invites to events, and threat alerts