Scan types and monitoring
Contrast Serverless supports these types of scans and monitoring:
Static scans
This scan automatically scans, in close to real-time, relevant static code and configuration assessments to discover new vulnerabilities in the following categories:
Least privilege: Discovers IAM vulnerabilities (over permissive functions) within serverless workload before deployment and recommends permission remediations.
Contrast SCA - Provides SCA for open-source libraries using the Contrast SCA engine.
The scan has no permanent effect on your code.
Dynamic scans
This scan type looks at dynamic assessments based on a specific update introduced to the tested environment. These scans are invoked with S3, API Gateway, and Dynamo DB functions.
It executes automatically, close to real-time, providing dynamic assessments, based on the specific update introduced to the tested environment. The dynamic scans are based on the interpretation of the OWASP Top 10 benchmark. For example:
SQL injection
Code injection
Local file inclusion (LFI)
During a dynamic scan, Contrast tries to send malicious input to the code and then, exercises the code to discover vulnerabilities. This action does not affect your code, however, a scanned function is invoked.
Instrumented Dynamic analysis
Note
It is required to use testing coverage when performing an instrumented dynamic scan.
This option is recommended for selection when specifying scan settings.
In AWS accounts, instrumented dynamic analysis uncovers all exploitable AWS Lambda functions. With support for the latest AWS Lambda services you can uncover security issues in AWS Step Functions – a service that coordinates multiple Lambda functions into flexible workflows.
Uncover OWASP Top Ten vulnerabilities including:
Injections (content, OS command, limited SQL, code)
Cross-site scripting (XSS)
Local file inclusion (LFI)
In addition, it provides improved AWS account observability and increased security coverage by uncovering all serverless account assets including unused functions (shadow functions). These unused functions are usually not maintained and contain outdated dependencies leading to potential vulnerabilities.
Continuous monitoring
Once you connect to an account from Contrast, Contrast Serverless monitors this account. As you make changes to your functions' code or configurations, Contrast automatically initiates a new scan.