Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

@puresec/function-shield

Package Overview
Dependencies
Maintainers
2
Versions
34
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@puresec/function-shield

Regain security control over your serverless runtime

  • 2.0.11
  • npm
  • Socket score

Version published
Weekly downloads
297
increased by6.45%
Maintainers
2
Weekly downloads
 
Created
Source

FunctionShield

Serverless Security Library for Developers. Regain Control over Your Serverless Runtime.

How FunctionShield helps With Serverless Security?

  • By monitoring (or blocking) outbound network traffic from your function, you can be certain that your data is never leaked
  • By disabling read/write operations on the /tmp/ directory, you can make your function truly ephemeral
  • By disabling the ability to launch child processes, you can make sure that no rogue processes are spawned without your knowledge by potentially malicious packages
  • By disabling the ability to read the function's (handler) source code through the file system, you can prevent handler source code leakage, which is oftentimes the first step in a serverless attack

Supports AWS Lambda and Google Cloud Functions

Get a free token

Please visit: https://www.puresec.io/function-shield-token-form

Install

$ npm install @puresec/function-shield

Super simple to use

const FunctionShield = require("@puresec/function-shield");
FunctionShield.configure({
    policy: {
        // "block" mode => active blocking
        // "alert" mode => log only
        // "allow" mode => allowed, implicitly occurs if key does not exist
        outbound_connectivity: "block",
        read_write_tmp: "block", 
        create_child_process: "block",
        read_handler: "block" },
    token: process.env.FUNCTION_SHIELD_TOKEN });

exports.hello = async (event) => {
    // ... // your code
};

Logging & Security Visibility

FunctionShield logs are sent directly to your function's AWS CloudWatch log group. Here are a few sample logs, demonstrating the log format you should expect:

// Log example #1:
{
    "details": {
        "host": "microsoft.com",
        "ip": "13.77.161.179"
    },
    "function_shield": true,
    "timestamp": "2019-06-19T09:08:00.455144Z",
    "policy": "outbound_connectivity",
    "mode": "block"
}

// Log example #2:
{
    "details": {
        "path": "/tmp/block"
    },
    "function_shield": true,
    "timestamp": "2019-06-19T09:08:00.422553Z",
    "policy": "read_write_tmp",
    "mode": "block"
}

// Log example #3:
{
    "details": {
        "arguments": [
            "uname",
            "-a"
        ],
        "path": "/bin/uname"
    },
    "function_shield": true,
    "timestamp": "2019-06-19T09:08:00.469822Z",
    "policy": "create_child_process",
    "mode": "block"
}

// Log example #4:
{
    "details": {
        "path": "/var/task/handler.js"
    },
    "function_shield": true,
    "timestamp": "2019-06-19T09:08:00.433942Z",
    "policy": "read_handler",
    "mode": "block"
}

Reconfiguring FunctionShield

FunctionShield.configure can be called multiple time to temporary disable one of the policies.

Note that you need to add an additional parameter cookie to any subsequent call to FunctionShield.configure.

const FunctionShield = require("@puresec/function-shield");
const got = require("got");
const cookie = FunctionShield.configure({
    policy: {
        outbound_connectivity: "block",
        read_write_tmp: "block",
        create_child_process: "block",
        read_handler: "block"
    },
    token: process.env.FUNCTION_SHIELD_TOKEN
});

exports.hello = async (event) => {
    ...
    FunctionShield.configure({
        cookie: cookie,
        policy: {
            outbound_connectivity: "allow"
        }
    });

    const response = await got("https://api.company.com/users");

    FunctionShield.configure({
        cookie: cookie,
        policy: {
            outbound_connectivity: "block"
        }
    });
    ...
};

Custom Security Policy (whitelisting)

Custom security policy is only supported with the PureSec SSP full product.

Get PureSec

Keywords

FAQs

Package last updated on 13 Aug 2019

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc