🤖 AI Summary
To address the lack of end-to-end security protection in CI/CD pipelines for open-source Serverless platforms (e.g., OpenFaaS), this paper proposes the first unified DevSecOps pipeline tailored for open-source Serverless environments. Our approach integrates static code analysis, dynamic behavior monitoring, secret scanning, and resource-constraint policies to deliver lightweight, fault-closed security checks, deeply embedded across all CI/CD stages. Unlike existing ad hoc security practices, our work provides the first systematic, low-overhead defense spanning the entire Serverless development lifecycle—effectively mitigating common threats such as injection attacks and hardcoded secrets. Evaluation on 20 real-world Serverless functions demonstrates 95% precision and 91% recall in vulnerability detection, with negligible runtime overhead.
📝 Abstract
Serverless computing significantly alters software development by abstracting infrastructure management and enabling rapid, modular, event-driven deployments. Despite its benefits, the distinct characteristics of serverless functions, such as ephemeral execution and fine-grained scalability, pose unique security challenges, particularly in open-source platforms like OpenFaaS. Existing approaches typically address isolated phases of the DevSecOps lifecycle, lacking an integrated and comprehensive security strategy. To bridge this gap, we propose FaaSGuard, a unified DevSecOps pipeline explicitly designed for open-source serverless environments. FaaSGuard systematically embeds lightweight, fail-closed security checks into every stage of the development lifecycle-planning, coding, building, deployment, and monitoring-effectively addressing threats such as injection attacks, hard-coded secrets, and resource exhaustion. We validate our approach empirically through a case study involving 20 real-world serverless functions from public GitHub repositories. Results indicate that FaaSGuard effectively detects and prevents critical vulnerabilities, demonstrating high precision (95%) and recall (91%) without significant disruption to established CI/CD practices.