Re: Is there a need for serverless security when using cloud WAF?
A Cloud WAF can definitely be used to filter malicious input in HTTP events that trigger serverless functions, however there are severe limitations to this solution:
1) It will only inspect HTTP/HTTPS events, while in reality, serverless functions consume event data from a wide range of events *other* than HTTP - such as cloud file storage, cloud NoSQL database, data streams, etc.
2) Even when inspecting HTTP based events, WAFs have limitations with properly detecting payloads in certain message types and formats, specifically - JSON, WebSockets, and MQTT.
3) WAFs apply the protection outside the application - so they can only provide detection of malicious payloads in event data. They cannot protect a serverless function that consumes data over API calls from within the function. This requires behavioral protection, that can inspect function behavior rather than scan inputs.