rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
master
awesome-awesomeness/html/serverlesssecurity.html
rhetenor 652812eed0 update
2025-07-18 23:13:11 +02:00

237 lines
12 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<h1 id="lock-awesome-serverless-security-awesome">:lock:
awesome-serverless-security <a href="https://awesome.re"><img
src="https://awesome.re/badge.svg" alt="Awesome" /></a></h1>
<p>A curated list of awesome serverless security resources such as
(e)books, articles, whitepapers, blogs and research papers.</p>
<h2 id="contents">Contents</h2>
<ul>
<li><a href="#aws-lambda-security">AWS Lambda Security</a></li>
<li><a href="#security-tools--solutions">Security Tools /
Solutions</a></li>
<li><a href="#azure-functions-security">Azure Functions
Security</a></li>
<li><a href="#google-cloud-functions-security">Google Cloud Functions
Security</a></li>
<li><a href="#serverless-risks--general">Serverless Risks /
General</a></li>
<li><a href="#vulnerabilities-weaknesses-cves">Vulnerabilities,
Weaknesses, CVEs</a></li>
<li><a href="#general-application-security-articles-books">General
Application Security Articles, Books</a></li>
<li><a href="#aws-lambda-general">AWS Lambda (General)</a></li>
<li><a href="#other-interesting-articles--web-pages">Other Interesting
Articles / Web Pages</a> ## AWS Lambda Security</li>
<li><a
href="https://www.puresec.io/aws-lambda-security-best-practices">AWS
Lambda Security Best-Practices eBook</a> - PDF eBook covering all the
basics such as: Serverless Top 10, IAM roles &amp; permissions,
CloudTrail, AWS Config, API Gateway security.</li>
<li><a
href="https://www.puresec.io/on-demand-foundations-of-aws-lambda-security">Foundations
of AWS Lambda Security</a> - Webinar recording covering AWS Lambda
security basics, IAM permissions, Scalability, Governance.</li>
<li><a
href="https://www.puresec.io/blog/aws-lambda-security-quick-guide">AWS
Lambda Security Quick-Start Guide</a> - A quick start guide portraying
security strategies for AWS Lambda applications.</li>
<li><a
href="https://www.puresec.io/blog/aws-security-best-practices-aws-lambda-security-design-for-failure">AWS
Lambda Security - Design for Failure</a> - Notes on the importance of
IAM permissions for AWS Lambda.</li>
<li><a
href="https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047">Attacking
an AWS Account via a Lambda Function</a> - An article from DarkReading,
describing attackers and defenders side of a real serverless bounty
hunt.</li>
<li><a
href="https://www.slideshare.net/avi_shulman/serverless-minimizing-the-attack-surface">Minimizing
the attack surface in Serverless</a> - Presentation covering the basics
of serverless attack surfaces.</li>
<li><a href="https://www.youtube.com/watch?v=byJBR16xUnc">Gone in 60
milliseconds: Offensive security in the serverless age</a> - A
presentation video showing attack vectors using cloud event sources,
exploitabilities in common serverless patterns and frameworks.</li>
<li><a
href="https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks">Security
Best Practices for Serverless Applications</a> - Basic best-practices
for AWS Lambda.</li>
<li><a
href="https://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014">AWS
IAM best practices</a> - Early AWS materials on IAM best practices.</li>
<li><a
href="https://www.slideshare.net/theburningmonk/security-in-serverless-world-96644428">The
Many-Faced Threats to the Serverless World</a> - An article covering
most of the basic security risks.</li>
<li><a
href="https://www.metaltoad.com/blog/how-to-encrypt-serverless-environment-variable-secrets-with-kms">How
to Encrypt Serverless Environment Variable Secrets with KMS</a> -
Fundamentals of secrets handling with AWS KMS.</li>
<li><a
href="https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/">Sharing
Secrets with AWS Lambda Using AWS Systems Manager Parameter Store</a> -
How to use parameter store for secrets.</li>
<li><a href="https://www.youtube.com/watch?v=QdzV04T_kec">A Serverless
Journey: AWS Lambda under the hood</a> - Great talk on how Lambda works,
introduction to Firecracker.</li>
<li><a
href="https://www.puresec.io/blog/aws-lambda-security-considerations-runtime-api-and-layers">Security
Considerations for AWS Lambda Runtime API and Layers</a> - A blog post
on what to keep in mind when developing with Layers &amp; Runtime
API.</li>
<li><a href="https://lwn.net/Articles/775736/">The FireCracker Virtual
Machine Monitor</a> - An analysis of AWS Firecracker.</li>
<li><a
href="https://github.com/aws-samples/aws-serverless-security-workshop">AWS
Lambda Serverless Security Workshop</a> - Learn techniques to secure a
serverless application built with AWS Lambda, Amazon API Gateway and RDS
Aurora (Re:Invent 2018 workshop). ## Security Tools / Solutions</li>
<li><a href="https://www.puresec.io/product">PureSec Serverless Security
Platform</a> - The worlds first and most advanced end-to-end serverless
security platform.</li>
<li><a href="https://www.puresec.io/function-shield">PureSec
FunctionShield</a> - A free AWS Lambda security and Google Cloud
Functions library for developers.</li>
<li><a
href="https://www.puresec.io/blog/automated-sql-injection-testing-of-serverless-functions-on-a-shoestring-budget-and-some-good-music">Automated
SQL Injection Testing of Serverless Functions</a> - An open source proxy
for using SQLMap to test AWS Lambda, natively.</li>
<li><a
href="https://www.puresec.io/blog/generating-least-privileged-iam-roles-for-aws-lambda-functions-the-easy-way">Auto-Generate
Least Privileged IAM Roles for AWS Lambda</a> - A Serverless framework
plugin for automatically generating least privileged roles using static
analysis.</li>
<li><a
href="https://www.owasp.org/index.php/OWASP_Serverless_Goat">OWASP
ServerlessGoat</a> - A vulnerable AWS Lambda serverless
application.</li>
<li><a
href="https://blog.codeship.com/secure-serverless-ci-cd-with-codeship-puresec-and-aws-lambda/">Secure
Serverless CI/CD with Codeship, PureSec, and AWS Lambda</a> - A step by
step guide for secure serverless CI/CD. ## Azure Functions Security</li>
<li><a
href="https://gallery.technet.microsoft.com/Azure-Functions-and-c6449f8d">Azure
Functions &amp; Serverless Platform Security</a> - Some basics on Azure
functions security.</li>
<li><a
href="https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package">Run
Your Azure Functions from a Package File</a> - Deploying immutable Azure
functions.</li>
<li><a
href="https://docs.microsoft.com/en-us/azure/app-service/app-service-security">Security
in Azure App Service &amp; Azure Functions</a> - More basic concepts for
Azure functions.</li>
<li><a href="https://www.youtube.com/watch?v=iFDXDQXRJ8Y">Identity &amp;
Secure Resource Access in App Service &amp; Azure Functions</a> -
Explores features in App Service or Azure functions which make working
with identities simple (Build Conference).</li>
<li><a
href="https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/">Secure
Azure Functions with JWT access tokens</a> - A blog post on how to use
JWT access tokens with Azure functions. ## Google Cloud Functions
Security</li>
<li><a
href="https://cloud.google.com/functions/docs/securing/function-identity">Function
Identity</a> - Documentation for Google Cloud Functions IAM and
per-function identity. ## Serverless Risks / General</li>
<li><a
href="https://www.puresec.io/serverless-security-top-12-csa-puresec">CSA:
The 12 Most Critical Risks for Serverless Applications 2019</a> - The
most extensive guide on the top risks for serverless applications (Cloud
Security Alliance &amp; PureSec).</li>
<li><a
href="https://www.puresec.io/blog/tag/securing-serverless-blog-series">Securing
serverless blog series</a> - Blog series covering the main differences
between security traditional applications and serverless.</li>
<li><a
href="https://www.jeremydaly.com/securing-serverless-a-newbies-guide/">Securing
Serverless: A Newbies Guide</a> - A terrific newbies guide by Jeremy
Daly.</li>
<li><a
href="https://www.youtube.com/watch?v=M7wUanfWs1c&amp;t=2s">Serverless
Security: What are we up against</a> - A conference talk from
ServerlessDays covering serverless security basics.</li>
<li><a
href="https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf">Hacking
Serverless Runtimes</a> - Good early insights presentation from BlackHat
conference 2017.</li>
<li><a
href="https://qconnewyork.com/ny2017/system/files/presentation-slides/serverless_security_and_things_that_go_bump_in_the_night_-_qcon_nyc_2017.pdf">Serverless
Security and Things that Go Bump in the Night</a> - QCon NYC
presentation by Silvexis covering security basics for serverless.</li>
<li><a
href="https://www.usenix.org/system/files/conference/hotcloud18/hotcloud18-paper-hong.pdf">Securing
Cloud via Serverless Design Patterns</a> - Six serverless design
patterns to build security services in the cloud.</li>
<li><a
href="https://www.usenix.org/system/files/conference/atc18/atc18-wang-liang.pdf">Peeking
Behind the Curtains of Serverless Platforms</a> - Provides insights into
architectures, resource utilization, and the performance isolation
efficiency of AWS Lambda, GCF and Azure Functions.</li>
<li><a
href="https://martinfowler.com/articles/serverless.html">Serverless
Architectures</a> - The best overview on serverless architectures. This
article provides an in-depth look at serverless architectures. ##
Vulnerabilities, Weaknesses, CVEs</li>
<li><a
href="https://www.puresec.io/blog/redos-vulnerability-in-aws-lambda-multipart-parser-node-package">ReDoS
in NPM package aws-lambda-multipart-parser</a> - A ReDoS in an NPM
package for AWS Lambda functions.</li>
<li><a
href="https://www.puresec.io/blog/apache_openwhisk_mutability_weakness">Apache
OpenWhisk Action Mutability Weakness</a> - Two vulnerabilities
discovered in Apache OpenWhisk.</li>
<li><a
href="https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining">Serverless
Cypto-Mining</a> - Exploiting app layer vulnerabilities in serverless
functions to abuse AWS Lambda for crypto-mining. ## General Application
Security Articles, Books</li>
<li><a
href="https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/">The
Web Application Hackers Handbook</a> - A classic book on web
application security.</li>
<li><a
href="https://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/">Web
Application Defenders Cookbook</a> - Another classic, covering
ModSecurity protections.</li>
<li><a
href="https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/">XSS
(Cross Site Scripting) Attacks, Exploits &amp; Defense</a> - The XSS
bible covering all aspects of XSS attacks and protections.</li>
<li><a
href="https://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643">Hacking
Exposed - Web Applications</a> - Another classic book on web application
security.</li>
<li><a
href="https://www.manning.com/books/securing-devops?a_aid=securingdevops&amp;a_bid=1353bcd8">Securing
DevOps</a> - Tons of real world examples on DevOps and security. ## AWS
Lambda (General)</li>
<li><a
href="https://www.amazon.com/Serverless-Architectures-AWS-examples-Lambda/dp/1617293822/">Serverless
Architectures on AWS</a> - This book teaches you how to build, secure
and manage serverless architectures.</li>
<li><a
href="https://hackernoon.com/tips-and-tricks-for-logging-and-monitoring-aws-lambda-functions-885af6da29a5">Tips
&amp; Tricks for logging and monitoring AWS Lambda Functions</a> - Tips
to help you get the most out of your logging and monitoring
infrastructure for your functions . ## Other Interesting Articles / Web
Pages</li>
<li><a href="https://github.com/google/gvisor">Google gVisor</a> -
GitHub repo for Google gVisor project.</li>
<li><a
href="https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html">Google
gVisor &amp; Google Cloud Functions</a> - A blog post covering Google
gVisor and how it is used with Google Cloud Functions.</li>
<li><a
href="https://console.bluemix.net/docs/openwhisk/openwhisk_about.html#openwhisk_about">IBM
Cloud Functions - Platform Architecture</a> - OpenWhisk &amp; IBM Cloud
Functions overview. ## License <a
href="https://creativecommons.org/publicdomain/zero/1.0/"><img
src="http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg"
alt="CC0" /></a> To the extent possible under law, <a
href="https://www.puresec.io">PureSec</a> has waived all copyright and
related or neighboring rights to this work.</li>
</ul>
<p><a
href="https://github.com/puresec/awesome-serverless-security/">serverlesssecurity.md
Github</a></p>
Reference in New Issue View Git Blame Copy Permalink