Abstract: A system and method for providing network security for serverless functions. The method includes inspecting network traffic between a pod and at least one network, wherein the pod is an instance of a software container configured to execute at least one serverless function, wherein each serverless function accesses at least one service via the at least one network; detecting a violation of a network profile created for each of the at least one serverless function based on the inspected second traffic, wherein each network profile defines a whitelist of normal network behavior of the respective serverless function with respect to the at least one service, wherein the normal behavior includes a plurality of properties of normal inputs and normal outputs for the serverless function, wherein the detected violation is a deviation from the whitelist of normal network behavior; and performing at least one mitigation action when the violation is detected.
Abstract: A system and method for protecting a serverless Function as a Service (FaaS) platform from vulnerabilities are provided. The method includes receiving input and output (I/O) communication directed to a serverless function executed over the FaaS platform; analyzing the received I/O communication by applying a predefined set of filtration rules, wherein the predefined set of filtration rules input filtration rules and output filtration rules being independently applied on the received I/O communication; detecting based on the predefined set of filtration rules analysis, at least one malicious I/O pattern; and alerting on a detection of vulnerability when deterring the at least one malicious I/O pattern.
Abstract: A system and method for protecting against flow manipulation of serverless functions. The method includes creating a profile for a serverless function, wherein the profile is created as an empty profile; generating a plurality of policies based on a plurality of log entries, wherein the plurality of policies defines allowable operations for the serverless function, wherein the plurality of log entries is recorded during monitoring of operation of the serverless function; updating the profile based on the plurality of policies to create a final profile, wherein the final profile includes at least one of the plurality of policies; monitoring operation of the serverless function to detect at least one violation of the profile, wherein the at least one violation includes a deviation from the allowable operations; and performing at least one mitigation action when the at least one violation of the profile is detected.
Abstract: A system and method for securing credentials utilized by serverless functions. The method includes removing a first set of credentials from a serverless function, wherein the at least one first set of credentials is used to access a service; and replacing, in a request for the service, a second set of credentials with the first set of credentials, wherein the request is intercepted in-line between the serverless function and the service.
Abstract: A method and system for reducing a cold start latency when invoking serverless functions on a FaaS platform are provided. The method comprises migrating serverless functions to the FaaS platform; per each migrated serverless function, pre-creating a plurality of software containers with non-generic resources; distributing the pre-created non-generic software containers across nodes of the FaaS platform; pre-creating a plurality of software containers with generic resources; executing the plurality generic resources across nodes of the FaaS platform; and upon receiving a first request to invoke a migrated serverless function, merging a respective non-generic software container with a generic software container.
Abstract: A scalable platform for providing functions as a service (FaaS). Software container pods are defined. Each pod is a software container including code for a respective function that acts as a template for that function. When a function is called, a new instance of a corresponding pod is added if no pods are available. Instances of the same pod may share memory until one of the instances is modified. Calling of functions may be delayed depending on a type of event involving the function.