awesome-serverless-security

A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.

GitHub

589 stars
37 watching
92 forks
last commit: over 2 years ago
Linked from 7 awesome lists

awesomeaws-lambdaazure-function-appsgoogle-cloud-functionsibm-cloud-functionssecurityserverless-applicationsserverless-architectures

awesome-serverless-security / AWS Lambda Security

AWS Lambda Security Best-Practices eBook PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions, CloudTrail, AWS Config, API Gateway security
Foundations of AWS Lambda Security Webinar recording covering AWS Lambda security basics, IAM permissions, Scalability, Governance
AWS Lambda Security Quick-Start Guide A quick start guide portraying security strategies for AWS Lambda applications
AWS Lambda Security - Design for Failure Notes on the importance of IAM permissions for AWS Lambda
Attacking an AWS Account via a Lambda Function An article from DarkReading, describing attackers and defenders side of a real serverless bounty hunt
Minimizing the attack surface in Serverless Presentation covering the basics of serverless attack surfaces
Gone in 60 milliseconds: Offensive security in the serverless age A presentation video showing attack vectors using cloud event sources, exploitabilities in common serverless patterns and frameworks
Security Best Practices for Serverless Applications Basic best-practices for AWS Lambda
AWS IAM best practices Early AWS materials on IAM best practices
The Many-Faced Threats to the Serverless World An article covering most of the basic security risks
How to Encrypt Serverless Environment Variable Secrets with KMS Fundamentals of secrets handling with AWS KMS
Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store How to use parameter store for secrets
A Serverless Journey: AWS Lambda under the hood Great talk on how Lambda works, introduction to Firecracker
Security Considerations for AWS Lambda Runtime API and Layers A blog post on what to keep in mind when developing with Layers & Runtime API
The FireCracker Virtual Machine Monitor An analysis of AWS Firecracker
AWS Lambda Serverless Security Workshop 526 15 days ago Learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora (Re:Invent 2018 workshop)

awesome-serverless-security / Security Tools / Solutions

PureSec Serverless Security Platform The world's first and most advanced end-to-end serverless security platform
PureSec FunctionShield A free AWS Lambda security and Google Cloud Functions library for developers
Automated SQL Injection Testing of Serverless Functions An open source proxy for using SQLMap to test AWS Lambda, natively
Auto-Generate Least Privileged IAM Roles for AWS Lambda A Serverless framework plugin for automatically generating least privileged roles using static analysis
OWASP ServerlessGoat A vulnerable AWS Lambda serverless application
Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda A step by step guide for secure serverless CI/CD

awesome-serverless-security / Azure Functions Security

Azure Functions & Serverless Platform Security Some basics on Azure functions security
Run Your Azure Functions from a Package File Deploying immutable Azure functions
Security in Azure App Service & Azure Functions More basic concepts for Azure functions
Identity & Secure Resource Access in App Service & Azure Functions Explores features in App Service or Azure functions which make working with identities simple (Build Conference)
Secure Azure Functions with JWT access tokens A blog post on how to use JWT access tokens with Azure functions

awesome-serverless-security / Google Cloud Functions Security

Function Identity Documentation for Google Cloud Functions IAM and per-function identity

awesome-serverless-security / Serverless Risks / General

CSA: The 12 Most Critical Risks for Serverless Applications 2019 The most extensive guide on the top risks for serverless applications (Cloud Security Alliance & PureSec)
Securing serverless blog series Blog series covering the main differences between security traditional applications and serverless
Securing Serverless: A Newbie's Guide A terrific newbie's guide by Jeremy Daly
Serverless Security: What are we up against A conference talk from ServerlessDays covering serverless security basics
Hacking Serverless Runtimes Good early insights presentation from BlackHat conference 2017
Serverless Security and Things that Go Bump in the Night QCon NYC presentation by Silvexis covering security basics for serverless
Securing Cloud via Serverless Design Patterns Six serverless design patterns to build security services in the cloud
Peeking Behind the Curtains of Serverless Platforms Provides insights into architectures, resource utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions
Serverless Architectures The best overview on serverless architectures. This article provides an in-depth look at serverless architectures

awesome-serverless-security / Vulnerabilities, Weaknesses, CVEs

ReDoS in NPM package aws-lambda-multipart-parser A ReDoS in an NPM package for AWS Lambda functions
Apache OpenWhisk Action Mutability Weakness Two vulnerabilities discovered in Apache OpenWhisk
Serverless Cypto-Mining Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining

awesome-serverless-security / General Application Security Articles, Books

The Web Application Hacker’s Handbook A classic book on web application security
Web Application Defender’s Cookbook Another classic, covering ModSecurity protections
XSS (Cross Site Scripting) Attacks, Exploits & Defense The XSS bible covering all aspects of XSS attacks and protections
Hacking Exposed - Web Applications Another classic book on web application security
Securing DevOps Tons of real world examples on DevOps and security

awesome-serverless-security / AWS Lambda (General)

Serverless Architectures on AWS This book teaches you how to build, secure and manage serverless architectures
Tips & Tricks for logging and monitoring AWS Lambda Functions Tips to help you get the most out of your logging and monitoring infrastructure for your functions

awesome-serverless-security / Other Interesting Articles / Web Pages

Google gVisor 15,637 3 days ago GitHub repo for Google gVisor project
Google gVisor & Google Cloud Functions A blog post covering Google gVisor and how it is used with Google Cloud Functions
IBM Cloud Functions - Platform Architecture OpenWhisk & IBM Cloud Functions overview

Backlinks from these awesome lists: