FaaSGuard: Secure CI/CD for Serverless Applications -- An OpenFaaS Case Study

📅 2025-09-04
📈 Citations: 0
Influential: 0
📄 PDF

career value

164K/year
🤖 AI Summary
To address the lack of end-to-end security protection in CI/CD pipelines for open-source Serverless platforms (e.g., OpenFaaS), this paper proposes the first unified DevSecOps pipeline tailored for open-source Serverless environments. Our approach integrates static code analysis, dynamic behavior monitoring, secret scanning, and resource-constraint policies to deliver lightweight, fault-closed security checks, deeply embedded across all CI/CD stages. Unlike existing ad hoc security practices, our work provides the first systematic, low-overhead defense spanning the entire Serverless development lifecycle—effectively mitigating common threats such as injection attacks and hardcoded secrets. Evaluation on 20 real-world Serverless functions demonstrates 95% precision and 91% recall in vulnerability detection, with negligible runtime overhead.

Technology Category

Application Category

📝 Abstract
Serverless computing significantly alters software development by abstracting infrastructure management and enabling rapid, modular, event-driven deployments. Despite its benefits, the distinct characteristics of serverless functions, such as ephemeral execution and fine-grained scalability, pose unique security challenges, particularly in open-source platforms like OpenFaaS. Existing approaches typically address isolated phases of the DevSecOps lifecycle, lacking an integrated and comprehensive security strategy. To bridge this gap, we propose FaaSGuard, a unified DevSecOps pipeline explicitly designed for open-source serverless environments. FaaSGuard systematically embeds lightweight, fail-closed security checks into every stage of the development lifecycle-planning, coding, building, deployment, and monitoring-effectively addressing threats such as injection attacks, hard-coded secrets, and resource exhaustion. We validate our approach empirically through a case study involving 20 real-world serverless functions from public GitHub repositories. Results indicate that FaaSGuard effectively detects and prevents critical vulnerabilities, demonstrating high precision (95%) and recall (91%) without significant disruption to established CI/CD practices.
Problem

Research questions and friction points this paper is trying to address.

Securing serverless CI/CD pipelines in OpenFaaS
Addressing unique security challenges of ephemeral functions
Integrating comprehensive security across DevSecOps lifecycle stages
Innovation

Methods, ideas, or system contributions that make the work stand out.

Unified DevSecOps pipeline for serverless
Lightweight fail-closed security checks integration
Empirical validation with real GitHub functions
🔎 Similar Papers
No similar papers found.
A
Amine Barrak
Department of Computer Science and Engineering, Oakland University, Rochester, MI, USA
Emna Ksontini
Emna Ksontini
University of North Calorina Wilmington ( UNCW )
Software EngineeringAI for SEInfrastucture as Code
R
Ridouane Atike
University of Quebec at Chicoutimi, Chicoutimi, QC, Canada
F
Fehmi Jaafar
University of Quebec at Chicoutimi, Chicoutimi, QC, Canada