rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update and add index

Browse Source
This commit is contained in:
Jonas Zeunert
2024-04-23 15:17:38 +02:00
parent 4d0cd768f7
commit 8d4db5d359
726 changed files with 41721 additions and 53949 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
terminal/serverlesssecurity
View File

@@ -1,4 +1,4 @@
 :lock: awesome-serverless-security !Awesome (https://awesome.re/badge.svg) (https://awesome.re)
 :lock: awesome-serverless-security !Awesome (https://awesome.re/badge.svg) (https://awesome.re)
A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
Contents
@@ -12,91 +12,73 @@
- AWS Lambda (General) (#aws-lambda-general)
- Other Interesting Articles / Web Pages (#other-interesting-articles--web-pages)
AWS Lambda Security
- AWS Lambda Security Best-Practices eBook (https://www.puresec.io/aws-lambda-security-best-practices) - PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions,
CloudTrail, AWS Config, API Gateway security. 
- Foundations of AWS Lambda Security (https://www.puresec.io/on-demand-foundations-of-aws-lambda-security) - Webinar recording covering AWS Lambda security basics, IAM permissions, 
Scalability, Governance. 
- AWS Lambda Security Best-Practices eBook (https://www.puresec.io/aws-lambda-security-best-practices) - PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions, CloudTrail, AWS Config, API Gateway 
security. 
- Foundations of AWS Lambda Security (https://www.puresec.io/on-demand-foundations-of-aws-lambda-security) - Webinar recording covering AWS Lambda security basics, IAM permissions, Scalability, Governance. 
- AWS Lambda Security Quick-Start Guide (https://www.puresec.io/blog/aws-lambda-security-quick-guide) - A quick start guide portraying security strategies for AWS Lambda applications. 
- AWS Lambda Security - Design for Failure (https://www.puresec.io/blog/aws-security-best-practices-aws-lambda-security-design-for-failure) - Notes on the importance of IAM permissions for 
AWS Lambda. 
- Attacking an AWS Account via a Lambda Function (https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047) - An article from 
DarkReading, describing attackers and defenders side of a real serverless bounty hunt. 
- Minimizing the attack surface in Serverless (https://www.slideshare.net/avi_shulman/serverless-minimizing-the-attack-surface) - Presentation covering the basics of serverless attack 
surfaces. 
- Gone in 60 milliseconds: Offensive security in the serverless age (https://www.youtube.com/watch?v=byJBR16xUnc) - A presentation video showing attack vectors using cloud event sources, 
exploitabilities in common serverless patterns and frameworks. 
- Security Best Practices for Serverless Applications (https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks) - 
Basic best-practices for AWS Lambda. 
- AWS Lambda Security - Design for Failure (https://www.puresec.io/blog/aws-security-best-practices-aws-lambda-security-design-for-failure) - Notes on the importance of IAM permissions for AWS Lambda. 
- Attacking an AWS Account via a Lambda Function (https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047) - An article from DarkReading, describing attackers and defenders 
side of a real serverless bounty hunt. 
- Minimizing the attack surface in Serverless (https://www.slideshare.net/avi_shulman/serverless-minimizing-the-attack-surface) - Presentation covering the basics of serverless attack surfaces. 
- Gone in 60 milliseconds: Offensive security in the serverless age (https://www.youtube.com/watch?v=byJBR16xUnc) - A presentation video showing attack vectors using cloud event sources, exploitabilities in common serverless patterns 
and frameworks. 
- Security Best Practices for Serverless Applications (https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks) - Basic best-practices for AWS Lambda. 
- AWS IAM best practices (https://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014) - Early AWS materials on IAM best practices. 
- The Many-Faced Threats to the Serverless World (https://www.slideshare.net/theburningmonk/security-in-serverless-world-96644428) - An article covering most of the basic security risks.
- How to Encrypt Serverless Environment Variable Secrets with KMS (https://www.metaltoad.com/blog/how-to-encrypt-serverless-environment-variable-secrets-with-kms) - Fundamentals of secrets 
handling with AWS KMS. 
- Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store (https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/) -
How to use parameter store for secrets. 
- How to Encrypt Serverless Environment Variable Secrets with KMS (https://www.metaltoad.com/blog/how-to-encrypt-serverless-environment-variable-secrets-with-kms) - Fundamentals of secrets handling with AWS KMS. 
- Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store (https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/) - How to use parameter store for secrets. 
- A Serverless Journey: AWS Lambda under the hood (https://www.youtube.com/watch?v=QdzV04T_kec) - Great talk on how Lambda works, introduction to Firecracker. 
- Security Considerations for AWS Lambda Runtime API and Layers (https://www.puresec.io/blog/aws-lambda-security-considerations-runtime-api-and-layers) - A blog post on what to keep in mind 
when developing with Layers & Runtime API. 
- Security Considerations for AWS Lambda Runtime API and Layers (https://www.puresec.io/blog/aws-lambda-security-considerations-runtime-api-and-layers) - A blog post on what to keep in mind when developing with Layers & Runtime API. 
- The FireCracker Virtual Machine Monitor (https://lwn.net/Articles/775736/) - An analysis of AWS Firecracker. 
- AWS Lambda Serverless Security Workshop (https://github.com/aws-samples/aws-serverless-security-workshop) - Learn techniques to secure a serverless application built with AWS Lambda, Amazon
API Gateway and RDS Aurora (Re:Invent 2018 workshop).
- AWS Lambda Serverless Security Workshop (https://github.com/aws-samples/aws-serverless-security-workshop) - Learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora (Re:Invent 2018 
workshop).
Security Tools / Solutions
- PureSec Serverless Security Platform (https://www.puresec.io/product) - The world's first and most advanced end-to-end serverless security platform. 
- PureSec FunctionShield (https://www.puresec.io/function-shield) - A free AWS Lambda security and Google Cloud Functions library for developers.
- Automated SQL Injection Testing of Serverless Functions (https://www.puresec.io/blog/automated-sql-injection-testing-of-serverless-functions-on-a-shoestring-budget-and-some-good-music) - 
An open source proxy for using SQLMap to test AWS Lambda, natively.
- Auto-Generate Least Privileged IAM Roles for AWS Lambda (https://www.puresec.io/blog/generating-least-privileged-iam-roles-for-aws-lambda-functions-the-easy-way) - A Serverless framework 
plugin for automatically generating least privileged roles using static analysis. 
- Automated SQL Injection Testing of Serverless Functions (https://www.puresec.io/blog/automated-sql-injection-testing-of-serverless-functions-on-a-shoestring-budget-and-some-good-music) - An open source proxy for using SQLMap to test 
AWS Lambda, natively.
- Auto-Generate Least Privileged IAM Roles for AWS Lambda (https://www.puresec.io/blog/generating-least-privileged-iam-roles-for-aws-lambda-functions-the-easy-way) - A Serverless framework plugin for automatically generating least 
privileged roles using static analysis. 
- OWASP ServerlessGoat (https://www.owasp.org/index.php/OWASP_Serverless_Goat) - A vulnerable AWS Lambda serverless application. 
- Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda (https://blog.codeship.com/secure-serverless-ci-cd-with-codeship-puresec-and-aws-lambda/) - A step by step guide for secure 
serverless CI/CD.
- Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda (https://blog.codeship.com/secure-serverless-ci-cd-with-codeship-puresec-and-aws-lambda/) - A step by step guide for secure serverless CI/CD.
Azure Functions Security
- Azure Functions & Serverless Platform Security (https://gallery.technet.microsoft.com/Azure-Functions-and-c6449f8d) - Some basics on Azure functions security. 
- Run Your Azure Functions from a Package File (https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package) - Deploying immutable Azure functions. 
- Security in Azure App Service & Azure Functions (https://docs.microsoft.com/en-us/azure/app-service/app-service-security) - More basic concepts for Azure functions. 
- Identity & Secure Resource Access in App Service & Azure Functions (https://www.youtube.com/watch?v=iFDXDQXRJ8Y) - Explores features in App Service or Azure functions which make working 
with identities simple (Build Conference). 
- Identity & Secure Resource Access in App Service & Azure Functions (https://www.youtube.com/watch?v=iFDXDQXRJ8Y) - Explores features in App Service or Azure functions which make working with identities simple (Build Conference). 
- Secure Azure Functions with JWT access tokens (https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/) - A blog post on how to use JWT access tokens with Azure functions.
Google Cloud Functions Security
- Function Identity (https://cloud.google.com/functions/docs/securing/function-identity) - Documentation for Google Cloud Functions IAM and per-function identity.
Serverless Risks / General
- CSA: The 12 Most Critical Risks for Serverless Applications 2019 (https://www.puresec.io/serverless-security-top-12-csa-puresec) - The most extensive guide on the top risks for serverless 
applications (Cloud Security Alliance & PureSec).
- Securing serverless blog series (https://www.puresec.io/blog/tag/securing-serverless-blog-series) - Blog series covering the main differences between security traditional applications and 
serverless. 
- CSA: The 12 Most Critical Risks for Serverless Applications 2019 (https://www.puresec.io/serverless-security-top-12-csa-puresec) - The most extensive guide on the top risks for serverless applications (Cloud Security Alliance & 
PureSec).
- Securing serverless blog series (https://www.puresec.io/blog/tag/securing-serverless-blog-series) - Blog series covering the main differences between security traditional applications and serverless. 
- Securing Serverless: A Newbie's Guide (https://www.jeremydaly.com/securing-serverless-a-newbies-guide/) - A terrific newbie's guide by Jeremy Daly. 
- Serverless Security: What are we up against (https://www.youtube.com/watch?v=M7wUanfWs1c&t=2s) - A conference talk from ServerlessDays covering serverless security basics. 
- Hacking Serverless Runtimes (https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf) - Good early insights presentation from BlackHat conference 2017.
- Serverless Security and Things that Go Bump in the Night 
(https://qconnewyork.com/ny2017/system/files/presentation-slides/serverless_security_and_things_that_go_bump_in_the_night_-_qcon_nyc_2017.pdf) - QCon NYC presentation by Silvexis covering 
security basics for serverless.
- Securing Cloud via Serverless Design Patterns (https://www.usenix.org/system/files/conference/hotcloud18/hotcloud18-paper-hong.pdf) - Six serverless design patterns to build security 
services in the cloud. 
- Peeking Behind the Curtains of Serverless Platforms (https://www.usenix.org/system/files/conference/atc18/atc18-wang-liang.pdf) - Provides insights into architectures, resource 
utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions.
- Serverless Architectures (https://martinfowler.com/articles/serverless.html) - The best overview on serverless architectures. This article provides an in-depth look at serverless 
architectures. 
- Serverless Security and Things that Go Bump in the Night (https://qconnewyork.com/ny2017/system/files/presentation-slides/serverless_security_and_things_that_go_bump_in_the_night_-_qcon_nyc_2017.pdf) - QCon NYC presentation by 
Silvexis covering security basics for serverless.
- Securing Cloud via Serverless Design Patterns (https://www.usenix.org/system/files/conference/hotcloud18/hotcloud18-paper-hong.pdf) - Six serverless design patterns to build security services in the cloud. 
- Peeking Behind the Curtains of Serverless Platforms (https://www.usenix.org/system/files/conference/atc18/atc18-wang-liang.pdf) - Provides insights into architectures, resource utilization, and the performance isolation efficiency of
AWS Lambda, GCF and Azure Functions.
- Serverless Architectures (https://martinfowler.com/articles/serverless.html) - The best overview on serverless architectures. This article provides an in-depth look at serverless architectures. 
Vulnerabilities, Weaknesses, CVEs
- ReDoS in NPM package aws-lambda-multipart-parser (https://www.puresec.io/blog/redos-vulnerability-in-aws-lambda-multipart-parser-node-package) - A ReDoS in an NPM package for AWS Lambda 
functions. 
- ReDoS in NPM package aws-lambda-multipart-parser (https://www.puresec.io/blog/redos-vulnerability-in-aws-lambda-multipart-parser-node-package) - A ReDoS in an NPM package for AWS Lambda functions. 
- Apache OpenWhisk Action Mutability Weakness (https://www.puresec.io/blog/apache_openwhisk_mutability_weakness) - Two vulnerabilities discovered in Apache OpenWhisk.
- Serverless Cypto-Mining (https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining) - Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for 
crypto-mining.
- Serverless Cypto-Mining (https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining) - Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining.
General Application Security Articles, Books
- The Web Application Hackers Handbook (https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/) - A classic book on web application security.
- Web Application Defenders Cookbook (https://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/) - Another classic, covering ModSecurity protections. 
- XSS (Cross Site Scripting) Attacks, Exploits & Defense (https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/) - The XSS bible covering all aspects of XSS attacks and
protections.
- XSS (Cross Site Scripting) Attacks, Exploits & Defense (https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/) - The XSS bible covering all aspects of XSS attacks and protections.
- Hacking Exposed - Web Applications (https://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643) - Another classic book on web application security.
- Securing DevOps (https://www.manning.com/books/securing-devops?a_aid=securingdevops&a_bid=1353bcd8) - Tons of real world examples on DevOps and security.
AWS Lambda (General)
- Serverless Architectures on AWS (https://www.amazon.com/Serverless-Architectures-AWS-examples-Lambda/dp/1617293822/) - This book teaches you how to build, secure and manage serverless 
architectures.
- Tips & Tricks for logging and monitoring AWS Lambda Functions (https://hackernoon.com/tips-and-tricks-for-logging-and-monitoring-aws-lambda-functions-885af6da29a5) - Tips to help you get 
the most out of your logging and monitoring infrastructure for your functions .
- Serverless Architectures on AWS (https://www.amazon.com/Serverless-Architectures-AWS-examples-Lambda/dp/1617293822/) - This book teaches you how to build, secure and manage serverless architectures.
- Tips & Tricks for logging and monitoring AWS Lambda Functions (https://hackernoon.com/tips-and-tricks-for-logging-and-monitoring-aws-lambda-functions-885af6da29a5) - Tips to help you get the most out of your logging and monitoring 
infrastructure for your functions .
Other Interesting Articles / Web Pages
- Google gVisor (https://github.com/google/gvisor) - GitHub repo for Google gVisor project. 
- Google gVisor & Google Cloud Functions (https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html) - A blog post covering Google gVisor and how it
is used with Google Cloud Functions.
- Google gVisor & Google Cloud Functions (https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html) - A blog post covering Google gVisor and how it is used with Google Cloud Functions.
- IBM Cloud Functions - Platform Architecture (https://console.bluemix.net/docs/openwhisk/openwhisk_about.html#openwhisk_about) - OpenWhisk & IBM Cloud Functions overview. 
License
!CC0 (http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg) (https://creativecommons.org/publicdomain/zero/1.0/)