Protego Introduces Damn Vulnerable Serverless App



A few weeks ago, Protego released an open source project called the Damn Vulnerable Serverless App. The project was donated to OWASP and can be used by anyone to research, teach and test security issues associated serverless computing.
Damn Vulnerable Serverless App Details
From the project's readme file:

Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application aiming to be an aid for security professionals to test their skills and tools in a legal environment, help developers better understand the processes of securing serverless applications and to aid both students & teachers to learn about serverless application security in a controlled class room environment.



The code runs on AWS Lambda, is a combination python and javascript and includes 10 "Lessons" including topics such as event injection, sensitive data exposure and logic vulnerabilities. It should not be run in production as it contains many exploitable vulnerabilities.

Screen Shot 2019-01-22 at 4.30.33 PM

Example Screen Shot of DVSA Shopping Cart


Screen Shot 2019-01-22 at 4.32.26 PM

Example Screen Shot of DVSA Payment Tracking



Demonstrate Lack of Serverless Visibility
DVSA is a great way to demonstrate how insecure coding can result in abuse and exploits in serverless environments. As an investor in Protego, I often get to speak with organizations who are confident in their cloud monitoring investment, but do not have adequate visibility into their serverless environments. Placing DVSA in a non-production deployment and seeing if the current security monitoring stack can detect and mitigate serverless attacks is a great way to raise awareness about this attack path.

Conduct Training
DVSA is also ideal for training environments. The open source license makes it great for any type of internal training of software developers, commercial training, open source cyber security classes such as those hosted at Cybrary and capture the flag exercises. Perhaps the best type of training is hands-on experimentation, which the OWASP project has long been supporting. Having a real vulnerable target in a serverless environment makes any type of training realistic.

Test Serverless Security Products
If your organization is considering deploying serverless security monitoring solutions, a solution like DVSA makes it easy to see how well these tools deploy and monitor inside your serverless environment.

About Protego
Protego offers a comprehensive solution to reduce the serverless attack surface, observe a wide variety of attacks and prevent the attacks when they happen. The platform minimizes the cost of performing security monitoring in a serverless environment and maximizes the visibility of all activity and code. Protego has been recognized with a variety of accolades, including SC Magazine's list of 2018 innovators, being mentioned by Amazon's CTO in his 2018 Re:Invent keynote and receiving the 2018 Frost and Sullivan Global New Product Innovation award. If you have code running in AWS Lambda, testing Protego is very easy and you can be up and running in less than 30 minutes.