awesome-serverless-security
A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
589 stars
37 watching
92 forks
last commit: over 2 years ago
Linked from 7 awesome lists
awesomeaws-lambdaazure-function-appsgoogle-cloud-functionsibm-cloud-functionssecurityserverless-applicationsserverless-architectures
awesome-serverless-security / AWS Lambda Security | |||
AWS Lambda Security Best-Practices eBook | PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions, CloudTrail, AWS Config, API Gateway security | ||
Foundations of AWS Lambda Security | Webinar recording covering AWS Lambda security basics, IAM permissions, Scalability, Governance | ||
AWS Lambda Security Quick-Start Guide | A quick start guide portraying security strategies for AWS Lambda applications | ||
AWS Lambda Security - Design for Failure | Notes on the importance of IAM permissions for AWS Lambda | ||
Attacking an AWS Account via a Lambda Function | An article from DarkReading, describing attackers and defenders side of a real serverless bounty hunt | ||
Minimizing the attack surface in Serverless | Presentation covering the basics of serverless attack surfaces | ||
Gone in 60 milliseconds: Offensive security in the serverless age | A presentation video showing attack vectors using cloud event sources, exploitabilities in common serverless patterns and frameworks | ||
Security Best Practices for Serverless Applications | Basic best-practices for AWS Lambda | ||
AWS IAM best practices | Early AWS materials on IAM best practices | ||
The Many-Faced Threats to the Serverless World | An article covering most of the basic security risks | ||
How to Encrypt Serverless Environment Variable Secrets with KMS | Fundamentals of secrets handling with AWS KMS | ||
Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store | How to use parameter store for secrets | ||
A Serverless Journey: AWS Lambda under the hood | Great talk on how Lambda works, introduction to Firecracker | ||
Security Considerations for AWS Lambda Runtime API and Layers | A blog post on what to keep in mind when developing with Layers & Runtime API | ||
The FireCracker Virtual Machine Monitor | An analysis of AWS Firecracker | ||
AWS Lambda Serverless Security Workshop | 526 | 15 days ago | Learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora (Re:Invent 2018 workshop) |
awesome-serverless-security / Security Tools / Solutions | |||
PureSec Serverless Security Platform | The world's first and most advanced end-to-end serverless security platform | ||
PureSec FunctionShield | A free AWS Lambda security and Google Cloud Functions library for developers | ||
Automated SQL Injection Testing of Serverless Functions | An open source proxy for using SQLMap to test AWS Lambda, natively | ||
Auto-Generate Least Privileged IAM Roles for AWS Lambda | A Serverless framework plugin for automatically generating least privileged roles using static analysis | ||
OWASP ServerlessGoat | A vulnerable AWS Lambda serverless application | ||
Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda | A step by step guide for secure serverless CI/CD | ||
awesome-serverless-security / Azure Functions Security | |||
Azure Functions & Serverless Platform Security | Some basics on Azure functions security | ||
Run Your Azure Functions from a Package File | Deploying immutable Azure functions | ||
Security in Azure App Service & Azure Functions | More basic concepts for Azure functions | ||
Identity & Secure Resource Access in App Service & Azure Functions | Explores features in App Service or Azure functions which make working with identities simple (Build Conference) | ||
Secure Azure Functions with JWT access tokens | A blog post on how to use JWT access tokens with Azure functions | ||
awesome-serverless-security / Google Cloud Functions Security | |||
Function Identity | Documentation for Google Cloud Functions IAM and per-function identity | ||
awesome-serverless-security / Serverless Risks / General | |||
CSA: The 12 Most Critical Risks for Serverless Applications 2019 | The most extensive guide on the top risks for serverless applications (Cloud Security Alliance & PureSec) | ||
Securing serverless blog series | Blog series covering the main differences between security traditional applications and serverless | ||
Securing Serverless: A Newbie's Guide | A terrific newbie's guide by Jeremy Daly | ||
Serverless Security: What are we up against | A conference talk from ServerlessDays covering serverless security basics | ||
Hacking Serverless Runtimes | Good early insights presentation from BlackHat conference 2017 | ||
Serverless Security and Things that Go Bump in the Night | QCon NYC presentation by Silvexis covering security basics for serverless | ||
Securing Cloud via Serverless Design Patterns | Six serverless design patterns to build security services in the cloud | ||
Peeking Behind the Curtains of Serverless Platforms | Provides insights into architectures, resource utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions | ||
Serverless Architectures | The best overview on serverless architectures. This article provides an in-depth look at serverless architectures | ||
awesome-serverless-security / Vulnerabilities, Weaknesses, CVEs | |||
ReDoS in NPM package aws-lambda-multipart-parser | A ReDoS in an NPM package for AWS Lambda functions | ||
Apache OpenWhisk Action Mutability Weakness | Two vulnerabilities discovered in Apache OpenWhisk | ||
Serverless Cypto-Mining | Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining | ||
awesome-serverless-security / General Application Security Articles, Books | |||
The Web Application Hacker’s Handbook | A classic book on web application security | ||
Web Application Defender’s Cookbook | Another classic, covering ModSecurity protections | ||
XSS (Cross Site Scripting) Attacks, Exploits & Defense | The XSS bible covering all aspects of XSS attacks and protections | ||
Hacking Exposed - Web Applications | Another classic book on web application security | ||
Securing DevOps | Tons of real world examples on DevOps and security | ||
awesome-serverless-security / AWS Lambda (General) | |||
Serverless Architectures on AWS | This book teaches you how to build, secure and manage serverless architectures | ||
Tips & Tricks for logging and monitoring AWS Lambda Functions | Tips to help you get the most out of your logging and monitoring infrastructure for your functions | ||
awesome-serverless-security / Other Interesting Articles / Web Pages | |||
Google gVisor | 15,637 | 3 days ago | GitHub repo for Google gVisor project |
Google gVisor & Google Cloud Functions | A blog post covering Google gVisor and how it is used with Google Cloud Functions | ||
IBM Cloud Functions - Platform Architecture | OpenWhisk & IBM Cloud Functions overview |