FunctionClarity: The Key to Secure Serverless Computing

By: Tim Miller

Oct 27 2022

Serverless computing frees developers to focus on developing and deploying cloud-native features and services faster, without having to manage infrastructure. Untethered from platform and operating-system management, these functions allow developers to focus on what they’re best at: code.

But there’s a downside. These ephemeral functions—while powerful, convenient, and economical—present new types of risks. Once you have delegated management to the cloud provider, the code is no longer bound to your pipeline, leaving you with less visibility and making it more difficult to identify vulnerabilities or trace attacks.

The serverless function’s Achilles Heel: security

Ok, so you’ve published your code to your serverless environment. Awesome! But how can you be sure that the code that runs tomorrow or next week has not been altered? Once uploaded to the cloud provider, this code is no longer bound to your pipeline, leaving room for bad actors to modify the function in place and wreak havoc on your business.

Of course, your cloud provider may offer a signature and verification service for your code (a best practice for validating code integrity)—a great step in the right direction. That said, with leaked or stolen credentials as the leading cause of cloud compromises, can you be completely reassured by your provider’s capabilities? If you’re like me, to feel truly confident, you’d feel better having a service or capability with end-to-end security that spans from pipeline to production.

A new open-source solution

Enter FunctionClarity, a new open-source project under Cisco’s OpenClarity suite of cloud-native security tools. FunctionClarity supports signing serverless functions with sigstore, using traditional key-pair techniques as well as keyless mechanisms.

FunctionClarity integrates with your CI/CD pipeline to sign the code before it is published. Ongoing security for your functions is provided by monitoring the serverless environment for publishing events.

How it works

As part of its initial setup, FunctionClarity's verifier application (itself a serverless function) is posted to the cloud provider. The trigger events for the verifier are the publishing notifications from the serverless account. This allows it to trigger the verifier only when the application's function is created/modified (although it’s available to fire 24/7). What’s more, FunctionClarity can limit its scope of operation to particular tags associated with the functions.

Function_Clarity

Once the initial environment is created, FunctionClarity is used as part of your pipeline to sign either .zip or container images. If not provided, it generates public/private key pairs or keyless signing using sigstore’s Cosign to generate the signature, which is then stored securely in the cloud. FunctionClarity pushes that same code to the cloud provider and sets up the function for operation. Just like existing functions, the newly published function triggers a validation event for the verified function.

FunctionClarity generates a signature for the published function and validates the signature against the known signatures your pipeline has established. If it’s an unknown signature, FunctionClarity tags the function appropriately and provides options to block or notify you of the violation.

By expanding the code-integrity process to cover the entire pipeline from end to end—as well as by conducting ongoing verification—FunctionClarity provides an additional, independent layer for securing your serverless applications. To learn more about FunctionClarity or to download the application and get started, visit the project's GitHub repository. You’re also welcome to join us in developing FunctionClarity—expanding support beyond the initial AWS Lambda service to include Microsoft Azure and Google Cloud Platform!