:lock: awesome-serverless-security

A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.

Contents

• AWS Lambda Security
• Security Tools / Solutions
• Azure Functions Security
• Google Cloud Functions Security
• Serverless Risks / General
• Vulnerabilities, Weaknesses, CVEs
• General Application Security Articles, Books
• AWS Lambda (General)
• Other Interesting Articles / Web Pages ## AWS Lambda Security
• AWS Lambda Security Best-Practices eBook - PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions, CloudTrail, AWS Config, API Gateway security.
• Foundations of AWS Lambda Security - Webinar recording covering AWS Lambda security basics, IAM permissions, Scalability, Governance.
• AWS Lambda Security Quick-Start Guide - A quick start guide portraying security strategies for AWS Lambda applications.
• AWS Lambda Security - Design for Failure - Notes on the importance of IAM permissions for AWS Lambda.
• Attacking an AWS Account via a Lambda Function - An article from DarkReading, describing attackers and defenders side of a real serverless bounty hunt.
• Minimizing the attack surface in Serverless - Presentation covering the basics of serverless attack surfaces.
• Gone in 60 milliseconds: Offensive security in the serverless age - A presentation video showing attack vectors using cloud event sources, exploitabilities in common serverless patterns and frameworks.
• Security Best Practices for Serverless Applications - Basic best-practices for AWS Lambda.
• AWS IAM best practices - Early AWS materials on IAM best practices.
• The Many-Faced Threats to the Serverless World - An article covering most of the basic security risks.
• How to Encrypt Serverless Environment Variable Secrets with KMS - Fundamentals of secrets handling with AWS KMS.
• Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store - How to use parameter store for secrets.
• A Serverless Journey: AWS Lambda under the hood - Great talk on how Lambda works, introduction to Firecracker.
• Security Considerations for AWS Lambda Runtime API and Layers - A blog post on what to keep in mind when developing with Layers & Runtime API.
• The FireCracker Virtual Machine Monitor - An analysis of AWS Firecracker.
• AWS Lambda Serverless Security Workshop - Learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora (Re:Invent 2018 workshop). ## Security Tools / Solutions
• PureSec Serverless Security Platform - The world’s first and most advanced end-to-end serverless security platform.
• PureSec FunctionShield - A free AWS Lambda security and Google Cloud Functions library for developers.
• Automated SQL Injection Testing of Serverless Functions - An open source proxy for using SQLMap to test AWS Lambda, natively.
• Auto-Generate Least Privileged IAM Roles for AWS Lambda - A Serverless framework plugin for automatically generating least privileged roles using static analysis.
• OWASP ServerlessGoat - A vulnerable AWS Lambda serverless application.
• Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda - A step by step guide for secure serverless CI/CD. ## Azure Functions Security
• Azure Functions & Serverless Platform Security - Some basics on Azure functions security.
• Run Your Azure Functions from a Package File - Deploying immutable Azure functions.
• Security in Azure App Service & Azure Functions - More basic concepts for Azure functions.
• Identity & Secure Resource Access in App Service & Azure Functions - Explores features in App Service or Azure functions which make working with identities simple (Build Conference).
• Secure Azure Functions with JWT access tokens - A blog post on how to use JWT access tokens with Azure functions. ## Google Cloud Functions Security
• Function Identity - Documentation for Google Cloud Functions IAM and per-function identity. ## Serverless Risks / General
• CSA: The 12 Most Critical Risks for Serverless Applications 2019 - The most extensive guide on the top risks for serverless applications (Cloud Security Alliance & PureSec).
• Securing serverless blog series - Blog series covering the main differences between security traditional applications and serverless.
• Securing Serverless: A Newbie’s Guide - A terrific newbie’s guide by Jeremy Daly.
• Serverless Security: What are we up against - A conference talk from ServerlessDays covering serverless security basics.
• Hacking Serverless Runtimes - Good early insights presentation from BlackHat conference 2017.
• Serverless Security and Things that Go Bump in the Night - QCon NYC presentation by Silvexis covering security basics for serverless.
• Securing Cloud via Serverless Design Patterns - Six serverless design patterns to build security services in the cloud.
• Peeking Behind the Curtains of Serverless Platforms - Provides insights into architectures, resource utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions.
• Serverless Architectures - The best overview on serverless architectures. This article provides an in-depth look at serverless architectures. ## Vulnerabilities, Weaknesses, CVEs
• ReDoS in NPM package aws-lambda-multipart-parser - A ReDoS in an NPM package for AWS Lambda functions.
• Apache OpenWhisk Action Mutability Weakness - Two vulnerabilities discovered in Apache OpenWhisk.
• Serverless Cypto-Mining - Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining. ## General Application Security Articles, Books
• The Web Application Hacker’s Handbook - A classic book on web application security.
• Web Application Defender’s Cookbook - Another classic, covering ModSecurity protections.
• XSS (Cross Site Scripting) Attacks, Exploits & Defense - The XSS bible covering all aspects of XSS attacks and protections.
• Hacking Exposed - Web Applications - Another classic book on web application security.
• Securing DevOps - Tons of real world examples on DevOps and security. ## AWS Lambda (General)
• Serverless Architectures on AWS - This book teaches you how to build, secure and manage serverless architectures.
• Tips & Tricks for logging and monitoring AWS Lambda Functions - Tips to help you get the most out of your logging and monitoring infrastructure for your functions . ## Other Interesting Articles / Web Pages
• Google gVisor - GitHub repo for Google gVisor project.
• Google gVisor & Google Cloud Functions - A blog post covering Google gVisor and how it is used with Google Cloud Functions.
• IBM Cloud Functions - Platform Architecture - OpenWhisk & IBM Cloud Functions overview. ## License To the extent possible under law, PureSec has waived all copyright and related or neighboring rights to this work.