PureSec, a startup out of Israel emerged from stealth today to provide a way to make serverless computing more secure.
Serverless computing reduces programming to writing functions, so that when a certain event happens, it triggers an automated action. The cloud vendor takes care of the underlying infrastructure and developers just write the code. It may sound like Shangri La for tech, but in reality there are still security concerns.
You might think that a process that lasts only milliseconds wouldn’t be subject to conventional kinds of attacks, but the fact is serverless functions are designed to take human checks and balances out of the equation, says company co-founder Ory Segal, and if you don’t set up the functions correctly you could be vulnerable.
As with any type of cloud security, there is a shared security model with serverless computing. On the vendor side, they ensure their data centers and systems are secure, but at the application level, it’s up to the developer. Certainly we have seen many instances where applications have been left exposed and data has leaked.
Segal says the function may be only a few lines of code triggering an action, but the action usually involves interacting with one or more external services. When that happens, there is an opportunity to manipulate the function and make it do something it wasn’t designed to do such as inject malicious code.
The product looks at your serverless code and lets you know which vulnerabilities you may have left exposed. It can even fix those problems for you if you wish. It also allows you to configure a security profile for your code from a dashboard and see a log of activity to track problems when they occur.
Segal says when the company launched in 2016, it was just a couple of years after AWS launched its Lambda serverless product. At the time, it was not widely used or understood. Serverless computing remains very early in its development, but in order to grow it needs a set of underlying tools like security to really take off.
PureSec is built from the ground up to provide serverless security, and itself is built on top of serverless architecture. As Segal points out, traditional security products require underlying infrastructure to deploy something either on the server or network. With serverless architecture, there is no underlying architecture on which to deploy until event is triggered and the cloud provider figures out what compute, memory and storage is required to complete the process.
The company has been in stealth mode up until today and has raised $3 million in seed investment, according to Crunchbase. It has 7 employees based in Tel Aviv.