update lists
This commit is contained in:
@@ -1,233 +0,0 @@
|
||||
<h1 id="lock-awesome-serverless-security-awesome">:lock:
|
||||
awesome-serverless-security <a href="https://awesome.re"><img
|
||||
src="https://awesome.re/badge.svg" alt="Awesome" /></a></h1>
|
||||
<p>A curated list of awesome serverless security resources such as
|
||||
(e)books, articles, whitepapers, blogs and research papers.</p>
|
||||
<h2 id="contents">Contents</h2>
|
||||
<ul>
|
||||
<li><a href="#aws-lambda-security">AWS Lambda Security</a></li>
|
||||
<li><a href="#security-tools--solutions">Security Tools /
|
||||
Solutions</a></li>
|
||||
<li><a href="#azure-functions-security">Azure Functions
|
||||
Security</a></li>
|
||||
<li><a href="#google-cloud-functions-security">Google Cloud Functions
|
||||
Security</a></li>
|
||||
<li><a href="#serverless-risks--general">Serverless Risks /
|
||||
General</a></li>
|
||||
<li><a href="#vulnerabilities-weaknesses-cves">Vulnerabilities,
|
||||
Weaknesses, CVEs</a></li>
|
||||
<li><a href="#general-application-security-articles-books">General
|
||||
Application Security Articles, Books</a></li>
|
||||
<li><a href="#aws-lambda-general">AWS Lambda (General)</a></li>
|
||||
<li><a href="#other-interesting-articles--web-pages">Other Interesting
|
||||
Articles / Web Pages</a> ## AWS Lambda Security</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/aws-lambda-security-best-practices">AWS
|
||||
Lambda Security Best-Practices eBook</a> - PDF eBook covering all the
|
||||
basics such as: Serverless Top 10, IAM roles & permissions,
|
||||
CloudTrail, AWS Config, API Gateway security.</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/on-demand-foundations-of-aws-lambda-security">Foundations
|
||||
of AWS Lambda Security</a> - Webinar recording covering AWS Lambda
|
||||
security basics, IAM permissions, Scalability, Governance.</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/blog/aws-lambda-security-quick-guide">AWS
|
||||
Lambda Security Quick-Start Guide</a> - A quick start guide portraying
|
||||
security strategies for AWS Lambda applications.</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/blog/aws-security-best-practices-aws-lambda-security-design-for-failure">AWS
|
||||
Lambda Security - Design for Failure</a> - Notes on the importance of
|
||||
IAM permissions for AWS Lambda.</li>
|
||||
<li><a
|
||||
href="https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047">Attacking
|
||||
an AWS Account via a Lambda Function</a> - An article from DarkReading,
|
||||
describing attackers and defenders side of a real serverless bounty
|
||||
hunt.</li>
|
||||
<li><a
|
||||
href="https://www.slideshare.net/avi_shulman/serverless-minimizing-the-attack-surface">Minimizing
|
||||
the attack surface in Serverless</a> - Presentation covering the basics
|
||||
of serverless attack surfaces.</li>
|
||||
<li><a href="https://www.youtube.com/watch?v=byJBR16xUnc">Gone in 60
|
||||
milliseconds: Offensive security in the serverless age</a> - A
|
||||
presentation video showing attack vectors using cloud event sources,
|
||||
exploitabilities in common serverless patterns and frameworks.</li>
|
||||
<li><a
|
||||
href="https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks">Security
|
||||
Best Practices for Serverless Applications</a> - Basic best-practices
|
||||
for AWS Lambda.</li>
|
||||
<li><a
|
||||
href="https://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014">AWS
|
||||
IAM best practices</a> - Early AWS materials on IAM best practices.</li>
|
||||
<li><a
|
||||
href="https://www.slideshare.net/theburningmonk/security-in-serverless-world-96644428">The
|
||||
Many-Faced Threats to the Serverless World</a> - An article covering
|
||||
most of the basic security risks.</li>
|
||||
<li><a
|
||||
href="https://www.metaltoad.com/blog/how-to-encrypt-serverless-environment-variable-secrets-with-kms">How
|
||||
to Encrypt Serverless Environment Variable Secrets with KMS</a> -
|
||||
Fundamentals of secrets handling with AWS KMS.</li>
|
||||
<li><a
|
||||
href="https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/">Sharing
|
||||
Secrets with AWS Lambda Using AWS Systems Manager Parameter Store</a> -
|
||||
How to use parameter store for secrets.</li>
|
||||
<li><a href="https://www.youtube.com/watch?v=QdzV04T_kec">A Serverless
|
||||
Journey: AWS Lambda under the hood</a> - Great talk on how Lambda works,
|
||||
introduction to Firecracker.</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/blog/aws-lambda-security-considerations-runtime-api-and-layers">Security
|
||||
Considerations for AWS Lambda Runtime API and Layers</a> - A blog post
|
||||
on what to keep in mind when developing with Layers & Runtime
|
||||
API.</li>
|
||||
<li><a href="https://lwn.net/Articles/775736/">The FireCracker Virtual
|
||||
Machine Monitor</a> - An analysis of AWS Firecracker.</li>
|
||||
<li><a
|
||||
href="https://github.com/aws-samples/aws-serverless-security-workshop">AWS
|
||||
Lambda Serverless Security Workshop</a> - Learn techniques to secure a
|
||||
serverless application built with AWS Lambda, Amazon API Gateway and RDS
|
||||
Aurora (Re:Invent 2018 workshop). ## Security Tools / Solutions</li>
|
||||
<li><a href="https://www.puresec.io/product">PureSec Serverless Security
|
||||
Platform</a> - The world’s first and most advanced end-to-end serverless
|
||||
security platform.</li>
|
||||
<li><a href="https://www.puresec.io/function-shield">PureSec
|
||||
FunctionShield</a> - A free AWS Lambda security and Google Cloud
|
||||
Functions library for developers.</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/blog/automated-sql-injection-testing-of-serverless-functions-on-a-shoestring-budget-and-some-good-music">Automated
|
||||
SQL Injection Testing of Serverless Functions</a> - An open source proxy
|
||||
for using SQLMap to test AWS Lambda, natively.</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/blog/generating-least-privileged-iam-roles-for-aws-lambda-functions-the-easy-way">Auto-Generate
|
||||
Least Privileged IAM Roles for AWS Lambda</a> - A Serverless framework
|
||||
plugin for automatically generating least privileged roles using static
|
||||
analysis.</li>
|
||||
<li><a
|
||||
href="https://www.owasp.org/index.php/OWASP_Serverless_Goat">OWASP
|
||||
ServerlessGoat</a> - A vulnerable AWS Lambda serverless
|
||||
application.</li>
|
||||
<li><a
|
||||
href="https://blog.codeship.com/secure-serverless-ci-cd-with-codeship-puresec-and-aws-lambda/">Secure
|
||||
Serverless CI/CD with Codeship, PureSec, and AWS Lambda</a> - A step by
|
||||
step guide for secure serverless CI/CD. ## Azure Functions Security</li>
|
||||
<li><a
|
||||
href="https://gallery.technet.microsoft.com/Azure-Functions-and-c6449f8d">Azure
|
||||
Functions & Serverless Platform Security</a> - Some basics on Azure
|
||||
functions security.</li>
|
||||
<li><a
|
||||
href="https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package">Run
|
||||
Your Azure Functions from a Package File</a> - Deploying immutable Azure
|
||||
functions.</li>
|
||||
<li><a
|
||||
href="https://docs.microsoft.com/en-us/azure/app-service/app-service-security">Security
|
||||
in Azure App Service & Azure Functions</a> - More basic concepts for
|
||||
Azure functions.</li>
|
||||
<li><a href="https://www.youtube.com/watch?v=iFDXDQXRJ8Y">Identity &
|
||||
Secure Resource Access in App Service & Azure Functions</a> -
|
||||
Explores features in App Service or Azure functions which make working
|
||||
with identities simple (Build Conference).</li>
|
||||
<li><a
|
||||
href="https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/">Secure
|
||||
Azure Functions with JWT access tokens</a> - A blog post on how to use
|
||||
JWT access tokens with Azure functions. ## Google Cloud Functions
|
||||
Security</li>
|
||||
<li><a
|
||||
href="https://cloud.google.com/functions/docs/securing/function-identity">Function
|
||||
Identity</a> - Documentation for Google Cloud Functions IAM and
|
||||
per-function identity. ## Serverless Risks / General</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/serverless-security-top-12-csa-puresec">CSA:
|
||||
The 12 Most Critical Risks for Serverless Applications 2019</a> - The
|
||||
most extensive guide on the top risks for serverless applications (Cloud
|
||||
Security Alliance & PureSec).</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/blog/tag/securing-serverless-blog-series">Securing
|
||||
serverless blog series</a> - Blog series covering the main differences
|
||||
between security traditional applications and serverless.</li>
|
||||
<li><a
|
||||
href="https://www.jeremydaly.com/securing-serverless-a-newbies-guide/">Securing
|
||||
Serverless: A Newbie’s Guide</a> - A terrific newbie’s guide by Jeremy
|
||||
Daly.</li>
|
||||
<li><a
|
||||
href="https://www.youtube.com/watch?v=M7wUanfWs1c&t=2s">Serverless
|
||||
Security: What are we up against</a> - A conference talk from
|
||||
ServerlessDays covering serverless security basics.</li>
|
||||
<li><a
|
||||
href="https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf">Hacking
|
||||
Serverless Runtimes</a> - Good early insights presentation from BlackHat
|
||||
conference 2017.</li>
|
||||
<li><a
|
||||
href="https://qconnewyork.com/ny2017/system/files/presentation-slides/serverless_security_and_things_that_go_bump_in_the_night_-_qcon_nyc_2017.pdf">Serverless
|
||||
Security and Things that Go Bump in the Night</a> - QCon NYC
|
||||
presentation by Silvexis covering security basics for serverless.</li>
|
||||
<li><a
|
||||
href="https://www.usenix.org/system/files/conference/hotcloud18/hotcloud18-paper-hong.pdf">Securing
|
||||
Cloud via Serverless Design Patterns</a> - Six serverless design
|
||||
patterns to build security services in the cloud.</li>
|
||||
<li><a
|
||||
href="https://www.usenix.org/system/files/conference/atc18/atc18-wang-liang.pdf">Peeking
|
||||
Behind the Curtains of Serverless Platforms</a> - Provides insights into
|
||||
architectures, resource utilization, and the performance isolation
|
||||
efficiency of AWS Lambda, GCF and Azure Functions.</li>
|
||||
<li><a
|
||||
href="https://martinfowler.com/articles/serverless.html">Serverless
|
||||
Architectures</a> - The best overview on serverless architectures. This
|
||||
article provides an in-depth look at serverless architectures. ##
|
||||
Vulnerabilities, Weaknesses, CVEs</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/blog/redos-vulnerability-in-aws-lambda-multipart-parser-node-package">ReDoS
|
||||
in NPM package aws-lambda-multipart-parser</a> - A ReDoS in an NPM
|
||||
package for AWS Lambda functions.</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/blog/apache_openwhisk_mutability_weakness">Apache
|
||||
OpenWhisk Action Mutability Weakness</a> - Two vulnerabilities
|
||||
discovered in Apache OpenWhisk.</li>
|
||||
<li><a
|
||||
href="https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining">Serverless
|
||||
Cypto-Mining</a> - Exploiting app layer vulnerabilities in serverless
|
||||
functions to abuse AWS Lambda for crypto-mining. ## General Application
|
||||
Security Articles, Books</li>
|
||||
<li><a
|
||||
href="https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/">The
|
||||
Web Application Hacker’s Handbook</a> - A classic book on web
|
||||
application security.</li>
|
||||
<li><a
|
||||
href="https://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/">Web
|
||||
Application Defender’s Cookbook</a> - Another classic, covering
|
||||
ModSecurity protections.</li>
|
||||
<li><a
|
||||
href="https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/">XSS
|
||||
(Cross Site Scripting) Attacks, Exploits & Defense</a> - The XSS
|
||||
bible covering all aspects of XSS attacks and protections.</li>
|
||||
<li><a
|
||||
href="https://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643">Hacking
|
||||
Exposed - Web Applications</a> - Another classic book on web application
|
||||
security.</li>
|
||||
<li><a
|
||||
href="https://www.manning.com/books/securing-devops?a_aid=securingdevops&a_bid=1353bcd8">Securing
|
||||
DevOps</a> - Tons of real world examples on DevOps and security. ## AWS
|
||||
Lambda (General)</li>
|
||||
<li><a
|
||||
href="https://www.amazon.com/Serverless-Architectures-AWS-examples-Lambda/dp/1617293822/">Serverless
|
||||
Architectures on AWS</a> - This book teaches you how to build, secure
|
||||
and manage serverless architectures.</li>
|
||||
<li><a
|
||||
href="https://hackernoon.com/tips-and-tricks-for-logging-and-monitoring-aws-lambda-functions-885af6da29a5">Tips
|
||||
& Tricks for logging and monitoring AWS Lambda Functions</a> - Tips
|
||||
to help you get the most out of your logging and monitoring
|
||||
infrastructure for your functions . ## Other Interesting Articles / Web
|
||||
Pages</li>
|
||||
<li><a href="https://github.com/google/gvisor">Google gVisor</a> -
|
||||
GitHub repo for Google gVisor project.</li>
|
||||
<li><a
|
||||
href="https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html">Google
|
||||
gVisor & Google Cloud Functions</a> - A blog post covering Google
|
||||
gVisor and how it is used with Google Cloud Functions.</li>
|
||||
<li><a
|
||||
href="https://console.bluemix.net/docs/openwhisk/openwhisk_about.html#openwhisk_about">IBM
|
||||
Cloud Functions - Platform Architecture</a> - OpenWhisk & IBM Cloud
|
||||
Functions overview. ## License <a
|
||||
href="https://creativecommons.org/publicdomain/zero/1.0/"><img
|
||||
src="http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg"
|
||||
alt="CC0" /></a> To the extent possible under law, <a
|
||||
href="https://www.puresec.io">PureSec</a> has waived all copyright and
|
||||
related or neighboring rights to this work.</li>
|
||||
</ul>
|
||||
Reference in New Issue
Block a user