32 KiB
32 KiB
:lock: awesome-serverless-security !Awesome (https://awesome.re/badge.svg) (https://awesome.re)
A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
Contents
- AWS Lambda Security (#aws-lambda-security)
- Security Tools / Solutions (#security-tools--solutions)
- Azure Functions Security (#azure-functions-security)
- Google Cloud Functions Security (#google-cloud-functions-security)
- Serverless Risks / General (#serverless-risks--general)
- Vulnerabilities, Weaknesses, CVEs (#vulnerabilities-weaknesses-cves)
- General Application Security Articles, Books (#general-application-security-articles-books)
- AWS Lambda (General) (#aws-lambda-general)
- Other Interesting Articles / Web Pages (#other-interesting-articles--web-pages)
AWS Lambda Security
- AWS Lambda Security Best-Practices eBook (https://www.puresec.io/aws-lambda-security-best-practices) - PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions,
CloudTrail, AWS Config, API Gateway security.
- Foundations of AWS Lambda Security (https://www.puresec.io/on-demand-foundations-of-aws-lambda-security) - Webinar recording covering AWS Lambda security basics, IAM permissions,
Scalability, Governance.
- AWS Lambda Security Quick-Start Guide (https://www.puresec.io/blog/aws-lambda-security-quick-guide) - A quick start guide portraying security strategies for AWS Lambda applications.
- AWS Lambda Security - Design for Failure (https://www.puresec.io/blog/aws-security-best-practices-aws-lambda-security-design-for-failure) - Notes on the importance of IAM permissions for
AWS Lambda.
- Attacking an AWS Account via a Lambda Function (https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047) - An article from
DarkReading, describing attackers and defenders side of a real serverless bounty hunt.
- Minimizing the attack surface in Serverless (https://www.slideshare.net/avi_shulman/serverless-minimizing-the-attack-surface) - Presentation covering the basics of serverless attack
surfaces.
- Gone in 60 milliseconds: Offensive security in the serverless age (https://www.youtube.com/watch?v=byJBR16xUnc) - A presentation video showing attack vectors using cloud event sources,
exploitabilities in common serverless patterns and frameworks.
- Security Best Practices for Serverless Applications (https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks) -
Basic best-practices for AWS Lambda.
- AWS IAM best practices (https://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014) - Early AWS materials on IAM best practices.
- The Many-Faced Threats to the Serverless World (https://www.slideshare.net/theburningmonk/security-in-serverless-world-96644428) - An article covering most of the basic security risks.
- How to Encrypt Serverless Environment Variable Secrets with KMS (https://www.metaltoad.com/blog/how-to-encrypt-serverless-environment-variable-secrets-with-kms) - Fundamentals of secrets
handling with AWS KMS.
- Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store (https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/) -
How to use parameter store for secrets.
- A Serverless Journey: AWS Lambda under the hood (https://www.youtube.com/watch?v=QdzV04T_kec) - Great talk on how Lambda works, introduction to Firecracker.
- Security Considerations for AWS Lambda Runtime API and Layers (https://www.puresec.io/blog/aws-lambda-security-considerations-runtime-api-and-layers) - A blog post on what to keep in mind
when developing with Layers & Runtime API.
- The FireCracker Virtual Machine Monitor (https://lwn.net/Articles/775736/) - An analysis of AWS Firecracker.
- AWS Lambda Serverless Security Workshop (https://github.com/aws-samples/aws-serverless-security-workshop) - Learn techniques to secure a serverless application built with AWS Lambda, Amazon
API Gateway and RDS Aurora (Re:Invent 2018 workshop).
Security Tools / Solutions
- PureSec Serverless Security Platform (https://www.puresec.io/product) - The world's first and most advanced end-to-end serverless security platform.
- PureSec FunctionShield (https://www.puresec.io/function-shield) - A free AWS Lambda security and Google Cloud Functions library for developers.
- Automated SQL Injection Testing of Serverless Functions (https://www.puresec.io/blog/automated-sql-injection-testing-of-serverless-functions-on-a-shoestring-budget-and-some-good-music) -
An open source proxy for using SQLMap to test AWS Lambda, natively.
- Auto-Generate Least Privileged IAM Roles for AWS Lambda (https://www.puresec.io/blog/generating-least-privileged-iam-roles-for-aws-lambda-functions-the-easy-way) - A Serverless framework
plugin for automatically generating least privileged roles using static analysis.
- OWASP ServerlessGoat (https://www.owasp.org/index.php/OWASP_Serverless_Goat) - A vulnerable AWS Lambda serverless application.
- Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda (https://blog.codeship.com/secure-serverless-ci-cd-with-codeship-puresec-and-aws-lambda/) - A step by step guide for secure
serverless CI/CD.
Azure Functions Security
- Azure Functions & Serverless Platform Security (https://gallery.technet.microsoft.com/Azure-Functions-and-c6449f8d) - Some basics on Azure functions security.
- Run Your Azure Functions from a Package File (https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package) - Deploying immutable Azure functions.
- Security in Azure App Service & Azure Functions (https://docs.microsoft.com/en-us/azure/app-service/app-service-security) - More basic concepts for Azure functions.
- Identity & Secure Resource Access in App Service & Azure Functions (https://www.youtube.com/watch?v=iFDXDQXRJ8Y) - Explores features in App Service or Azure functions which make working
with identities simple (Build Conference).
- Secure Azure Functions with JWT access tokens (https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/) - A blog post on how to use JWT access tokens with Azure functions.
Google Cloud Functions Security
- Function Identity (https://cloud.google.com/functions/docs/securing/function-identity) - Documentation for Google Cloud Functions IAM and per-function identity.
Serverless Risks / General
- CSA: The 12 Most Critical Risks for Serverless Applications 2019 (https://www.puresec.io/serverless-security-top-12-csa-puresec) - The most extensive guide on the top risks for serverless
applications (Cloud Security Alliance & PureSec).
- Securing serverless blog series (https://www.puresec.io/blog/tag/securing-serverless-blog-series) - Blog series covering the main differences between security traditional applications and
serverless.
- Securing Serverless: A Newbie's Guide (https://www.jeremydaly.com/securing-serverless-a-newbies-guide/) - A terrific newbie's guide by Jeremy Daly.
- Serverless Security: What are we up against (https://www.youtube.com/watch?v=M7wUanfWs1c&t=2s) - A conference talk from ServerlessDays covering serverless security basics.
- Hacking Serverless Runtimes (https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf) - Good early insights presentation from BlackHat conference 2017.
- Serverless Security and Things that Go Bump in the Night
(https://qconnewyork.com/ny2017/system/files/presentation-slides/serverless_security_and_things_that_go_bump_in_the_night_-_qcon_nyc_2017.pdf) - QCon NYC presentation by Silvexis covering
security basics for serverless.
- Securing Cloud via Serverless Design Patterns (https://www.usenix.org/system/files/conference/hotcloud18/hotcloud18-paper-hong.pdf) - Six serverless design patterns to build security
services in the cloud.
- Peeking Behind the Curtains of Serverless Platforms (https://www.usenix.org/system/files/conference/atc18/atc18-wang-liang.pdf) - Provides insights into architectures, resource
utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions.
- Serverless Architectures (https://martinfowler.com/articles/serverless.html) - The best overview on serverless architectures. This article provides an in-depth look at serverless
architectures.
Vulnerabilities, Weaknesses, CVEs
- ReDoS in NPM package aws-lambda-multipart-parser (https://www.puresec.io/blog/redos-vulnerability-in-aws-lambda-multipart-parser-node-package) - A ReDoS in an NPM package for AWS Lambda
functions.
- Apache OpenWhisk Action Mutability Weakness (https://www.puresec.io/blog/apache_openwhisk_mutability_weakness) - Two vulnerabilities discovered in Apache OpenWhisk.
- Serverless Cypto-Mining (https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining) - Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for
crypto-mining.
General Application Security Articles, Books
- The Web Application Hacker’s Handbook (https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/) - A classic book on web application security.
- Web Application Defender’s Cookbook (https://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/) - Another classic, covering ModSecurity protections.
- XSS (Cross Site Scripting) Attacks, Exploits & Defense (https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/) - The XSS bible covering all aspects of XSS attacks and
protections.
- Hacking Exposed - Web Applications (https://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643) - Another classic book on web application security.
- Securing DevOps (https://www.manning.com/books/securing-devops?a_aid=securingdevops&a_bid=1353bcd8) - Tons of real world examples on DevOps and security.
AWS Lambda (General)
- Serverless Architectures on AWS (https://www.amazon.com/Serverless-Architectures-AWS-examples-Lambda/dp/1617293822/) - This book teaches you how to build, secure and manage serverless
architectures.
- Tips & Tricks for logging and monitoring AWS Lambda Functions (https://hackernoon.com/tips-and-tricks-for-logging-and-monitoring-aws-lambda-functions-885af6da29a5) - Tips to help you get
the most out of your logging and monitoring infrastructure for your functions .
Other Interesting Articles / Web Pages
- Google gVisor (https://github.com/google/gvisor) - GitHub repo for Google gVisor project.
- Google gVisor & Google Cloud Functions (https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html) - A blog post covering Google gVisor and how it
is used with Google Cloud Functions.
- IBM Cloud Functions - Platform Architecture (https://console.bluemix.net/docs/openwhisk/openwhisk_about.html#openwhisk_about) - OpenWhisk & IBM Cloud Functions overview.
License
!CC0 (http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg) (https://creativecommons.org/publicdomain/zero/1.0/)
To the extent possible under law, PureSec (https://www.puresec.io) has waived all copyright and related or neighboring rights to this work.
A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
Contents
- AWS Lambda Security (#aws-lambda-security)
- Security Tools / Solutions (#security-tools--solutions)
- Azure Functions Security (#azure-functions-security)
- Google Cloud Functions Security (#google-cloud-functions-security)
- Serverless Risks / General (#serverless-risks--general)
- Vulnerabilities, Weaknesses, CVEs (#vulnerabilities-weaknesses-cves)
- General Application Security Articles, Books (#general-application-security-articles-books)
- AWS Lambda (General) (#aws-lambda-general)
- Other Interesting Articles / Web Pages (#other-interesting-articles--web-pages)
AWS Lambda Security
- AWS Lambda Security Best-Practices eBook (https://www.puresec.io/aws-lambda-security-best-practices) - PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions,
CloudTrail, AWS Config, API Gateway security.
- Foundations of AWS Lambda Security (https://www.puresec.io/on-demand-foundations-of-aws-lambda-security) - Webinar recording covering AWS Lambda security basics, IAM permissions,
Scalability, Governance.
- AWS Lambda Security Quick-Start Guide (https://www.puresec.io/blog/aws-lambda-security-quick-guide) - A quick start guide portraying security strategies for AWS Lambda applications.
- AWS Lambda Security - Design for Failure (https://www.puresec.io/blog/aws-security-best-practices-aws-lambda-security-design-for-failure) - Notes on the importance of IAM permissions for
AWS Lambda.
- Attacking an AWS Account via a Lambda Function (https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047) - An article from
DarkReading, describing attackers and defenders side of a real serverless bounty hunt.
- Minimizing the attack surface in Serverless (https://www.slideshare.net/avi_shulman/serverless-minimizing-the-attack-surface) - Presentation covering the basics of serverless attack
surfaces.
- Gone in 60 milliseconds: Offensive security in the serverless age (https://www.youtube.com/watch?v=byJBR16xUnc) - A presentation video showing attack vectors using cloud event sources,
exploitabilities in common serverless patterns and frameworks.
- Security Best Practices for Serverless Applications (https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks) -
Basic best-practices for AWS Lambda.
- AWS IAM best practices (https://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014) - Early AWS materials on IAM best practices.
- The Many-Faced Threats to the Serverless World (https://www.slideshare.net/theburningmonk/security-in-serverless-world-96644428) - An article covering most of the basic security risks.
- How to Encrypt Serverless Environment Variable Secrets with KMS (https://www.metaltoad.com/blog/how-to-encrypt-serverless-environment-variable-secrets-with-kms) - Fundamentals of secrets
handling with AWS KMS.
- Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store (https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/) -
How to use parameter store for secrets.
- A Serverless Journey: AWS Lambda under the hood (https://www.youtube.com/watch?v=QdzV04T_kec) - Great talk on how Lambda works, introduction to Firecracker.
- Security Considerations for AWS Lambda Runtime API and Layers (https://www.puresec.io/blog/aws-lambda-security-considerations-runtime-api-and-layers) - A blog post on what to keep in mind
when developing with Layers & Runtime API.
- The FireCracker Virtual Machine Monitor (https://lwn.net/Articles/775736/) - An analysis of AWS Firecracker.
- AWS Lambda Serverless Security Workshop (https://github.com/aws-samples/aws-serverless-security-workshop) - Learn techniques to secure a serverless application built with AWS Lambda, Amazon
API Gateway and RDS Aurora (Re:Invent 2018 workshop).
Security Tools / Solutions
- PureSec Serverless Security Platform (https://www.puresec.io/product) - The world's first and most advanced end-to-end serverless security platform.
- PureSec FunctionShield (https://www.puresec.io/function-shield) - A free AWS Lambda security and Google Cloud Functions library for developers.
- Automated SQL Injection Testing of Serverless Functions (https://www.puresec.io/blog/automated-sql-injection-testing-of-serverless-functions-on-a-shoestring-budget-and-some-good-music) -
An open source proxy for using SQLMap to test AWS Lambda, natively.
- Auto-Generate Least Privileged IAM Roles for AWS Lambda (https://www.puresec.io/blog/generating-least-privileged-iam-roles-for-aws-lambda-functions-the-easy-way) - A Serverless framework
plugin for automatically generating least privileged roles using static analysis.
- OWASP ServerlessGoat (https://www.owasp.org/index.php/OWASP_Serverless_Goat) - A vulnerable AWS Lambda serverless application.
- Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda (https://blog.codeship.com/secure-serverless-ci-cd-with-codeship-puresec-and-aws-lambda/) - A step by step guide for secure
serverless CI/CD.
Azure Functions Security
- Azure Functions & Serverless Platform Security (https://gallery.technet.microsoft.com/Azure-Functions-and-c6449f8d) - Some basics on Azure functions security.
- Run Your Azure Functions from a Package File (https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package) - Deploying immutable Azure functions.
- Security in Azure App Service & Azure Functions (https://docs.microsoft.com/en-us/azure/app-service/app-service-security) - More basic concepts for Azure functions.
- Identity & Secure Resource Access in App Service & Azure Functions (https://www.youtube.com/watch?v=iFDXDQXRJ8Y) - Explores features in App Service or Azure functions which make working
with identities simple (Build Conference).
- Secure Azure Functions with JWT access tokens (https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/) - A blog post on how to use JWT access tokens with Azure functions.
Google Cloud Functions Security
- Function Identity (https://cloud.google.com/functions/docs/securing/function-identity) - Documentation for Google Cloud Functions IAM and per-function identity.
Serverless Risks / General
- CSA: The 12 Most Critical Risks for Serverless Applications 2019 (https://www.puresec.io/serverless-security-top-12-csa-puresec) - The most extensive guide on the top risks for serverless
applications (Cloud Security Alliance & PureSec).
- Securing serverless blog series (https://www.puresec.io/blog/tag/securing-serverless-blog-series) - Blog series covering the main differences between security traditional applications and
serverless.
- Securing Serverless: A Newbie's Guide (https://www.jeremydaly.com/securing-serverless-a-newbies-guide/) - A terrific newbie's guide by Jeremy Daly.
- Serverless Security: What are we up against (https://www.youtube.com/watch?v=M7wUanfWs1c&t=2s) - A conference talk from ServerlessDays covering serverless security basics.
- Hacking Serverless Runtimes (https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf) - Good early insights presentation from BlackHat conference 2017.
- Serverless Security and Things that Go Bump in the Night
(https://qconnewyork.com/ny2017/system/files/presentation-slides/serverless_security_and_things_that_go_bump_in_the_night_-_qcon_nyc_2017.pdf) - QCon NYC presentation by Silvexis covering
security basics for serverless.
- Securing Cloud via Serverless Design Patterns (https://www.usenix.org/system/files/conference/hotcloud18/hotcloud18-paper-hong.pdf) - Six serverless design patterns to build security
services in the cloud.
- Peeking Behind the Curtains of Serverless Platforms (https://www.usenix.org/system/files/conference/atc18/atc18-wang-liang.pdf) - Provides insights into architectures, resource
utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions.
- Serverless Architectures (https://martinfowler.com/articles/serverless.html) - The best overview on serverless architectures. This article provides an in-depth look at serverless
architectures.
Vulnerabilities, Weaknesses, CVEs
- ReDoS in NPM package aws-lambda-multipart-parser (https://www.puresec.io/blog/redos-vulnerability-in-aws-lambda-multipart-parser-node-package) - A ReDoS in an NPM package for AWS Lambda
functions.
- Apache OpenWhisk Action Mutability Weakness (https://www.puresec.io/blog/apache_openwhisk_mutability_weakness) - Two vulnerabilities discovered in Apache OpenWhisk.
- Serverless Cypto-Mining (https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining) - Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for
crypto-mining.
General Application Security Articles, Books
- The Web Application Hacker’s Handbook (https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/) - A classic book on web application security.
- Web Application Defender’s Cookbook (https://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/) - Another classic, covering ModSecurity protections.
- XSS (Cross Site Scripting) Attacks, Exploits & Defense (https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/) - The XSS bible covering all aspects of XSS attacks and
protections.
- Hacking Exposed - Web Applications (https://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643) - Another classic book on web application security.
- Securing DevOps (https://www.manning.com/books/securing-devops?a_aid=securingdevops&a_bid=1353bcd8) - Tons of real world examples on DevOps and security.
AWS Lambda (General)
- Serverless Architectures on AWS (https://www.amazon.com/Serverless-Architectures-AWS-examples-Lambda/dp/1617293822/) - This book teaches you how to build, secure and manage serverless
architectures.
- Tips & Tricks for logging and monitoring AWS Lambda Functions (https://hackernoon.com/tips-and-tricks-for-logging-and-monitoring-aws-lambda-functions-885af6da29a5) - Tips to help you get
the most out of your logging and monitoring infrastructure for your functions .
Other Interesting Articles / Web Pages
- Google gVisor (https://github.com/google/gvisor) - GitHub repo for Google gVisor project.
- Google gVisor & Google Cloud Functions (https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html) - A blog post covering Google gVisor and how it
is used with Google Cloud Functions.
- IBM Cloud Functions - Platform Architecture (https://console.bluemix.net/docs/openwhisk/openwhisk_about.html#openwhisk_about) - OpenWhisk & IBM Cloud Functions overview.
License
!CC0 (http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg) (https://creativecommons.org/publicdomain/zero/1.0/)
To the extent possible under law, PureSec (https://www.puresec.io) has waived all copyright and related or neighboring rights to this work.