A curated list of serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
- AWS Lambda Security
- Security Tools / Solutions
- Azure Functions Security
- Google Cloud Functions Security
- Serverless Risks / General
- Vulnerabilities, Weaknesses, CVEs
- General Application Security Articles, Books
- AWS Lambda (General)
- Other Interesting Articles / Web Pages
AWS Lambda Security¶
- AWS Lambda Security Best-Practices eBook - PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions, CloudTrail, AWS Config, API Gateway security.
- Foundations of AWS Lambda Security - Webinar recording covering AWS Lambda security basics, IAM permissions, Scalability, Governance.
- AWS Lambda Security Quick-Start Guide - A quick start guide portraying security strategies for AWS Lambda applications.
- AWS Lambda Security - Design for Failure - Notes on the importance of IAM permissions for AWS Lambda.
- Attacking an AWS Account via a Lambda Function - An article from DarkReading, describing attackers and defenders side of a real serverless bounty hunt.
- Minimizing the attack surface in Serverless - Presentation covering the basics of serverless attack surfaces.
- Gone in 60 milliseconds: Offensive security in the serverless age - A presentation video showing attack vectors using cloud event sources, exploitabilities in common serverless patterns and frameworks.
- Security Best Practices for Serverless Applications - Basic best-practices for AWS Lambda.
- AWS IAM best practices - Early AWS materials on IAM best practices.
- The Many-Faced Threats to the Serverless World - An article covering most of the basic security risks.
- How to Encrypt Serverless Environment Variable Secrets with KMS - Fundamentals of secrets handling with AWS KMS.
- Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store - How to use parameter store for secrets.
- A Serverless Journey: AWS Lambda under the hood - Great talk on how Lambda works, introduction to Firecracker.
- Security Considerations for AWS Lambda Runtime API and Layers - A blog post on what to keep in mind when developing with Layers & Runtime API.
- The FireCracker Virtual Machine Monitor - An analysis of AWS Firecracker.
- AWS Lambda Serverless Security Workshop - Learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora (Re:Invent 2018 workshop).
Security Tools / Solutions¶
- PureSec Serverless Security Platform - The world's first and most advanced end-to-end serverless security platform.
- PureSec FunctionShield - A free AWS Lambda security and Google Cloud Functions library for developers.
- Automated SQL Injection Testing of Serverless Functions - An open source proxy for using SQLMap to test AWS Lambda, natively.
- Auto-Generate Least Privileged IAM Roles for AWS Lambda - A Serverless framework plugin for automatically generating least privileged roles using static analysis.
- OWASP ServerlessGoat - A vulnerable AWS Lambda serverless application.
- Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda - A step by step guide for secure serverless CI/CD.
Azure Functions Security¶
- Azure Functions & Serverless Platform Security - Some basics on Azure functions security.
- Run Your Azure Functions from a Package File - Deploying immutable Azure functions.
- Security in Azure App Service & Azure Functions - More basic concepts for Azure functions.
- Identity & Secure Resource Access in App Service & Azure Functions - Explores features in App Service or Azure functions which make working with identities simple (Build Conference).
- Secure Azure Functions with JWT access tokens - A blog post on how to use JWT access tokens with Azure functions.
Google Cloud Functions Security¶
- Function Identity - Documentation for Google Cloud Functions IAM and per-function identity.
Serverless Risks / General¶
- CSA: The 12 Most Critical Risks for Serverless Applications 2019 - The most extensive guide on the top risks for serverless applications (Cloud Security Alliance & PureSec).
- Securing serverless blog series - Blog series covering the main differences between security traditional applications and serverless.
- Securing Serverless: A Newbie's Guide - A terrific newbie's guide by Jeremy Daly.
- Serverless Security: What are we up against - A conference talk from ServerlessDays covering serverless security basics.
- Hacking Serverless Runtimes - Good early insights presentation from BlackHat conference 2017.
- Serverless Security and Things that Go Bump in the Night - QCon NYC presentation by Silvexis covering security basics for serverless.
- Securing Cloud via Serverless Design Patterns - Six serverless design patterns to build security services in the cloud.
- Peeking Behind the Curtains of Serverless Platforms - Provides insights into architectures, resource utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions.
- Serverless Architectures - The best overview on serverless architectures. This article provides an in-depth look at serverless architectures.
Vulnerabilities, Weaknesses, CVEs¶
- ReDoS in NPM package aws-lambda-multipart-parser - A ReDoS in an NPM package for AWS Lambda functions.
- Apache OpenWhisk Action Mutability Weakness - Two vulnerabilities discovered in Apache OpenWhisk.
- Serverless Cypto-Mining - Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining.
General Application Security Articles, Books¶
- The Web Application Hacker’s Handbook - A classic book on web application security.
- Web Application Defender’s Cookbook - Another classic, covering ModSecurity protections.
- XSS (Cross Site Scripting) Attacks, Exploits & Defense - The XSS bible covering all aspects of XSS attacks and protections.
- Hacking Exposed - Web Applications - Another classic book on web application security.
- Securing DevOps - Tons of real world examples on DevOps and security.
AWS Lambda (General)¶
- Serverless Architectures on AWS - This book teaches you how to build, secure and manage serverless architectures.
- Tips & Tricks for logging and monitoring AWS Lambda Functions - Tips to help you get the most out of your logging and monitoring infrastructure for your functions .