Table of contents

Manage the security assessment for serverless functions

When applications are designed and implemented using serverless functions, the number of functions that you need to protect can grow to a fairly large number. This makes it challenging to have not only a clear view of the overall security assessment but also the visibility of all functions, and the state of the security controls.

The Assessment view enables you to review your security assessment and to work on improving your security score for the serverless functions. It lists all of the serverless functions configured in the cloud provider account. You can review these functions along with the overall security score and each function's security controls status. Unlike the other Application Security views, this view is not filtered by group, but provides an overall view of the account.

Screenshot

You click the Assessment icon Assessment icon to access the Assessment view. The Assessment view consists of the following views:

  • Exemption management
  • Assessment Report
  • Vulnerable Libraries
  • Cloud Provider Accounts

Exemption management

This section lets you manage the exemptions that will affect the Assessment Reports view. The "Include Exempted Functions" toggle will refresh the various reports to include the exempted functions in them. To manage how functions are exempted, see Exemption management.

Assessment Reports view

This is the first view that you see when you go to the Assessment view. The view has three sections:

  • Functions Protection summary reports. This section summaries how the functions are protected with Application Security. The left hand side shows how many functions are protected at the present time. The right side is the Function Protection Evolution graph. It is a stacked bar graph showing the number of functions and how they changed over a set period of time -- Last 7 days, Last 14 days or Last Month. This allows you to see when new functions are added, or their status changes. There are the following statuses:

    • Unprotected. Functions either are not configured with Application Security protection runtimes, or are configured with protection runtimes but with all security controls disabled.

    • Partially protected. Functions are configured with Application Security protection layers or runtimes. Some of the protection types in the security controls are set to report.

    • Protected. Functions are configured with Application Security protection layers or runtimes. All enabled protection types in the security controls are set to mitigate.

    Application Security does not enforce that all protection types are enabled as sometimes there are technical reasons that require disabling.

    • Exempted. (Optional) Functions that have been marked as Exempted. They are only displayed if Include Exempted Functions is enabled.
  • Library Vulnerabilities summary. This section shows you the current state of vulnerabilities regarding the various libraries used within your functions. On the left is the Function Vulnerabilities Summary. It shows the current state of the libraries' vulnerabilities. On the right is the Function Vulnerabilities Evolution chart. It shows the changes in the state of libraries' vulnerabilities that occur over a set period of time -- Last 7 days, Last 14 days and Last Month.

  • Functions Inventory. This table lists all functions found within your linked providers. Clicking a row will open more details about a function. You can also click a row to create an exemption rule. For more information, see Exemption management.

The list contains the following fields:

  • Function Name
  • Provider
  • Cloud Account ID
  • Region
  • Protection
  • Group Name
  • Vulnerability

You can also group and filter them with the controls situated on top of the table.

Vulnerable Libraries view

This view provides a list of the vulnerable libraries. The list contains the following fields:

  • Name
  • Version
  • Language
  • Vulnerabilities
  • Affected Functions

You can filter the list by including or excluding exempted functions.

Cloud Provider Accounts view

This view provides a list of the cloud provider accounts used for assessment reports. You can add additional cloud provider accounts to Application Security here. This list contains the following fields:

  • Name
  • ConnectionID
  • Provider
  • State
  • LastSync

If you click the row of the Cloud provider account, the Details window opens. It contains the above fields along with two additional fields in AWS:

  • aw_external_id
  • aws_role_arn

The Details page allows you to delete or edit the account.