nobeastsofierce - Fotolia
The Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application designed to help security professionals test their skills and tools and to help developers better understand the processes of securing serverless applications.
The DVSA contains the most common security risks, including over-privileged roles, insecure configurations, broken access control and vulnerable dependencies. Serverless practitioners can attempt various attacks such as injection attacks and denial of service (DoS) attacks.
The tool, which has been donated to the Open Web Application Security Project (Owasp), can also be used to help students and teachers to learn about serverless application security in a classroom environment, according to Protego Labs.
“While many companies are adopting serverless technologies and approaches, security for serverless is largely uncharted territory as traditional security methods aren’t applicable in serverless environments,” said Tal Melamed, head of security research, Protego Labs.
“The DVSA is easily installed and allows users to practise some of the most common serverless vulnerabilities through a simple interface,” he said. “The application includes both documented and undocumented vulnerabilities and encourages the discovery of others.”
The tool provides a range of cloud resources, including functions, databases, simple storage, queues and email services, while the application backend includes exposed and unexposed functions, administrative back-office, mock external application program interfaces (APIs) and a front-end that includes authentication and email interaction with users.
This is the second project Protego Labs has led with Owasp. In 2018, Protego Labs launched the Owasp Serverless Top 10, a report designed to be a first look into the leading risks in serverless security and to serve as a baseline for the official Owasp Serverless Top 10.
Also in 2018, Protego Labs launched a free version of its serverless security solution to enable companies to build secure applications and save time by automating tasks such as configuration of function permissions.