rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
2d63fe63cdc259a8b0049caa7dfa409165087fa3
awesome-awesomeness/terminal/serverlesssecurity9
Jonas Zeunert 2d63fe63cd Restructure with Makefile + add html output
2024-04-20 19:22:54 +02:00

104 lines
32 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
 :lock: awesome-serverless-security !Awesome (https://awesome.re/badge.svg) (https://awesome.re)
A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
Contents
- AWS Lambda Security (#aws-lambda-security)
- Security Tools / Solutions (#security-tools--solutions)
- Azure Functions Security (#azure-functions-security)
- Google Cloud Functions Security (#google-cloud-functions-security)
- Serverless Risks / General (#serverless-risks--general)
- Vulnerabilities, Weaknesses, CVEs (#vulnerabilities-weaknesses-cves)
- General Application Security Articles, Books (#general-application-security-articles-books)
- AWS Lambda (General) (#aws-lambda-general)
- Other Interesting Articles / Web Pages (#other-interesting-articles--web-pages)
AWS Lambda Security
- AWS Lambda Security Best-Practices eBook (https://www.puresec.io/aws-lambda-security-best-practices) - PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions,
CloudTrail, AWS Config, API Gateway security. 
- Foundations of AWS Lambda Security (https://www.puresec.io/on-demand-foundations-of-aws-lambda-security) - Webinar recording covering AWS Lambda security basics, IAM permissions, 
Scalability, Governance. 
- AWS Lambda Security Quick-Start Guide (https://www.puresec.io/blog/aws-lambda-security-quick-guide) - A quick start guide portraying security strategies for AWS Lambda applications. 
- AWS Lambda Security - Design for Failure (https://www.puresec.io/blog/aws-security-best-practices-aws-lambda-security-design-for-failure) - Notes on the importance of IAM permissions for 
AWS Lambda. 
- Attacking an AWS Account via a Lambda Function (https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047) - An article from 
DarkReading, describing attackers and defenders side of a real serverless bounty hunt. 
- Minimizing the attack surface in Serverless (https://www.slideshare.net/avi_shulman/serverless-minimizing-the-attack-surface) - Presentation covering the basics of serverless attack 
surfaces. 
- Gone in 60 milliseconds: Offensive security in the serverless age (https://www.youtube.com/watch?v=byJBR16xUnc) - A presentation video showing attack vectors using cloud event sources, 
exploitabilities in common serverless patterns and frameworks. 
- Security Best Practices for Serverless Applications (https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks) - 
Basic best-practices for AWS Lambda. 
- AWS IAM best practices (https://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014) - Early AWS materials on IAM best practices. 
- The Many-Faced Threats to the Serverless World (https://www.slideshare.net/theburningmonk/security-in-serverless-world-96644428) - An article covering most of the basic security risks.
- How to Encrypt Serverless Environment Variable Secrets with KMS (https://www.metaltoad.com/blog/how-to-encrypt-serverless-environment-variable-secrets-with-kms) - Fundamentals of secrets 
handling with AWS KMS. 
- Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store (https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/) -
How to use parameter store for secrets. 
- A Serverless Journey: AWS Lambda under the hood (https://www.youtube.com/watch?v=QdzV04T_kec) - Great talk on how Lambda works, introduction to Firecracker. 
- Security Considerations for AWS Lambda Runtime API and Layers (https://www.puresec.io/blog/aws-lambda-security-considerations-runtime-api-and-layers) - A blog post on what to keep in mind 
when developing with Layers & Runtime API. 
- The FireCracker Virtual Machine Monitor (https://lwn.net/Articles/775736/) - An analysis of AWS Firecracker. 
- AWS Lambda Serverless Security Workshop (https://github.com/aws-samples/aws-serverless-security-workshop) - Learn techniques to secure a serverless application built with AWS Lambda, Amazon
API Gateway and RDS Aurora (Re:Invent 2018 workshop).
Security Tools / Solutions
- PureSec Serverless Security Platform (https://www.puresec.io/product) - The world's first and most advanced end-to-end serverless security platform. 
- PureSec FunctionShield (https://www.puresec.io/function-shield) - A free AWS Lambda security and Google Cloud Functions library for developers.
- Automated SQL Injection Testing of Serverless Functions (https://www.puresec.io/blog/automated-sql-injection-testing-of-serverless-functions-on-a-shoestring-budget-and-some-good-music) - 
An open source proxy for using SQLMap to test AWS Lambda, natively.
- Auto-Generate Least Privileged IAM Roles for AWS Lambda (https://www.puresec.io/blog/generating-least-privileged-iam-roles-for-aws-lambda-functions-the-easy-way) - A Serverless framework 
plugin for automatically generating least privileged roles using static analysis. 
- OWASP ServerlessGoat (https://www.owasp.org/index.php/OWASP_Serverless_Goat) - A vulnerable AWS Lambda serverless application. 
- Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda (https://blog.codeship.com/secure-serverless-ci-cd-with-codeship-puresec-and-aws-lambda/) - A step by step guide for secure 
serverless CI/CD.
Azure Functions Security
- Azure Functions & Serverless Platform Security (https://gallery.technet.microsoft.com/Azure-Functions-and-c6449f8d) - Some basics on Azure functions security. 
- Run Your Azure Functions from a Package File (https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package) - Deploying immutable Azure functions. 
- Security in Azure App Service & Azure Functions (https://docs.microsoft.com/en-us/azure/app-service/app-service-security) - More basic concepts for Azure functions. 
- Identity & Secure Resource Access in App Service & Azure Functions (https://www.youtube.com/watch?v=iFDXDQXRJ8Y) - Explores features in App Service or Azure functions which make working 
with identities simple (Build Conference). 
- Secure Azure Functions with JWT access tokens (https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/) - A blog post on how to use JWT access tokens with Azure functions.
Google Cloud Functions Security
- Function Identity (https://cloud.google.com/functions/docs/securing/function-identity) - Documentation for Google Cloud Functions IAM and per-function identity.
Serverless Risks / General
- CSA: The 12 Most Critical Risks for Serverless Applications 2019 (https://www.puresec.io/serverless-security-top-12-csa-puresec) - The most extensive guide on the top risks for serverless 
applications (Cloud Security Alliance & PureSec).
- Securing serverless blog series (https://www.puresec.io/blog/tag/securing-serverless-blog-series) - Blog series covering the main differences between security traditional applications and 
serverless. 
- Securing Serverless: A Newbie's Guide (https://www.jeremydaly.com/securing-serverless-a-newbies-guide/) - A terrific newbie's guide by Jeremy Daly. 
- Serverless Security: What are we up against (https://www.youtube.com/watch?v=M7wUanfWs1c&t=2s) - A conference talk from ServerlessDays covering serverless security basics. 
- Hacking Serverless Runtimes (https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf) - Good early insights presentation from BlackHat conference 2017.
- Serverless Security and Things that Go Bump in the Night 
(https://qconnewyork.com/ny2017/system/files/presentation-slides/serverless_security_and_things_that_go_bump_in_the_night_-_qcon_nyc_2017.pdf) - QCon NYC presentation by Silvexis covering 
security basics for serverless.
- Securing Cloud via Serverless Design Patterns (https://www.usenix.org/system/files/conference/hotcloud18/hotcloud18-paper-hong.pdf) - Six serverless design patterns to build security 
services in the cloud. 
- Peeking Behind the Curtains of Serverless Platforms (https://www.usenix.org/system/files/conference/atc18/atc18-wang-liang.pdf) - Provides insights into architectures, resource 
utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions.
- Serverless Architectures (https://martinfowler.com/articles/serverless.html) - The best overview on serverless architectures. This article provides an in-depth look at serverless 
architectures. 
Vulnerabilities, Weaknesses, CVEs
- ReDoS in NPM package aws-lambda-multipart-parser (https://www.puresec.io/blog/redos-vulnerability-in-aws-lambda-multipart-parser-node-package) - A ReDoS in an NPM package for AWS Lambda 
functions. 
- Apache OpenWhisk Action Mutability Weakness (https://www.puresec.io/blog/apache_openwhisk_mutability_weakness) - Two vulnerabilities discovered in Apache OpenWhisk.
- Serverless Cypto-Mining (https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining) - Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for 
crypto-mining.
General Application Security Articles, Books
- The Web Application Hackers Handbook (https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/) - A classic book on web application security.
- Web Application Defenders Cookbook (https://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/) - Another classic, covering ModSecurity protections. 
- XSS (Cross Site Scripting) Attacks, Exploits & Defense (https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/) - The XSS bible covering all aspects of XSS attacks and
protections.
- Hacking Exposed - Web Applications (https://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643) - Another classic book on web application security.
- Securing DevOps (https://www.manning.com/books/securing-devops?a_aid=securingdevops&a_bid=1353bcd8) - Tons of real world examples on DevOps and security.
AWS Lambda (General)
- Serverless Architectures on AWS (https://www.amazon.com/Serverless-Architectures-AWS-examples-Lambda/dp/1617293822/) - This book teaches you how to build, secure and manage serverless 
architectures.
- Tips & Tricks for logging and monitoring AWS Lambda Functions (https://hackernoon.com/tips-and-tricks-for-logging-and-monitoring-aws-lambda-functions-885af6da29a5) - Tips to help you get 
the most out of your logging and monitoring infrastructure for your functions .
Other Interesting Articles / Web Pages
- Google gVisor (https://github.com/google/gvisor) - GitHub repo for Google gVisor project. 
- Google gVisor & Google Cloud Functions (https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html) - A blog post covering Google gVisor and how it
is used with Google Cloud Functions.
- IBM Cloud Functions - Platform Architecture (https://console.bluemix.net/docs/openwhisk/openwhisk_about.html#openwhisk_about) - OpenWhisk & IBM Cloud Functions overview. 
License
!CC0 (http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg) (https://creativecommons.org/publicdomain/zero/1.0/)
To the extent possible under law, PureSec (https://www.puresec.io) has waived all copyright and related or neighboring rights to this work.
Reference in New Issue View Git Blame Copy Permalink