awesome-serverless-security
Serverless security guide
A curated list of resources on securing serverless applications
A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
596 stars
36 watching
92 forks
last commit: over 2 years ago
Linked from 7 awesome lists
awesomeaws-lambdaazure-function-appsgoogle-cloud-functionsibm-cloud-functionssecurityserverless-applicationsserverless-architectures
awesome-serverless-security / AWS Lambda Security | |||
| AWS Lambda Security Best-Practices eBook | PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions, CloudTrail, AWS Config, API Gateway security | ||
| Foundations of AWS Lambda Security | Webinar recording covering AWS Lambda security basics, IAM permissions, Scalability, Governance | ||
| AWS Lambda Security Quick-Start Guide | A quick start guide portraying security strategies for AWS Lambda applications | ||
| AWS Lambda Security - Design for Failure | Notes on the importance of IAM permissions for AWS Lambda | ||
| Attacking an AWS Account via a Lambda Function | An article from DarkReading, describing attackers and defenders side of a real serverless bounty hunt | ||
| Minimizing the attack surface in Serverless | Presentation covering the basics of serverless attack surfaces | ||
| Gone in 60 milliseconds: Offensive security in the serverless age | A presentation video showing attack vectors using cloud event sources, exploitabilities in common serverless patterns and frameworks | ||
| Security Best Practices for Serverless Applications | Basic best-practices for AWS Lambda | ||
| AWS IAM best practices | Early AWS materials on IAM best practices | ||
| The Many-Faced Threats to the Serverless World | An article covering most of the basic security risks | ||
| How to Encrypt Serverless Environment Variable Secrets with KMS | Fundamentals of secrets handling with AWS KMS | ||
| Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store | How to use parameter store for secrets | ||
| A Serverless Journey: AWS Lambda under the hood | Great talk on how Lambda works, introduction to Firecracker | ||
| Security Considerations for AWS Lambda Runtime API and Layers | A blog post on what to keep in mind when developing with Layers & Runtime API | ||
| The FireCracker Virtual Machine Monitor | An analysis of AWS Firecracker | ||
| AWS Lambda Serverless Security Workshop | 528 | 17 days ago | Learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora (Re:Invent 2018 workshop) |
awesome-serverless-security / Security Tools / Solutions | |||
| PureSec Serverless Security Platform | The world's first and most advanced end-to-end serverless security platform | ||
| PureSec FunctionShield | A free AWS Lambda security and Google Cloud Functions library for developers | ||
| Automated SQL Injection Testing of Serverless Functions | An open source proxy for using SQLMap to test AWS Lambda, natively | ||
| Auto-Generate Least Privileged IAM Roles for AWS Lambda | A Serverless framework plugin for automatically generating least privileged roles using static analysis | ||
| OWASP ServerlessGoat | A vulnerable AWS Lambda serverless application | ||
| Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda | A step by step guide for secure serverless CI/CD | ||
awesome-serverless-security / Azure Functions Security | |||
| Azure Functions & Serverless Platform Security | Some basics on Azure functions security | ||
| Run Your Azure Functions from a Package File | Deploying immutable Azure functions | ||
| Security in Azure App Service & Azure Functions | More basic concepts for Azure functions | ||
| Identity & Secure Resource Access in App Service & Azure Functions | Explores features in App Service or Azure functions which make working with identities simple (Build Conference) | ||
| Secure Azure Functions with JWT access tokens | A blog post on how to use JWT access tokens with Azure functions | ||
awesome-serverless-security / Google Cloud Functions Security | |||
| Function Identity | Documentation for Google Cloud Functions IAM and per-function identity | ||
awesome-serverless-security / Serverless Risks / General | |||
| CSA: The 12 Most Critical Risks for Serverless Applications 2019 | The most extensive guide on the top risks for serverless applications (Cloud Security Alliance & PureSec) | ||
| Securing serverless blog series | Blog series covering the main differences between security traditional applications and serverless | ||
| Securing Serverless: A Newbie's Guide | A terrific newbie's guide by Jeremy Daly | ||
| Serverless Security: What are we up against | A conference talk from ServerlessDays covering serverless security basics | ||
| Hacking Serverless Runtimes | Good early insights presentation from BlackHat conference 2017 | ||
| Serverless Security and Things that Go Bump in the Night | QCon NYC presentation by Silvexis covering security basics for serverless | ||
| Securing Cloud via Serverless Design Patterns | Six serverless design patterns to build security services in the cloud | ||
| Peeking Behind the Curtains of Serverless Platforms | Provides insights into architectures, resource utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions | ||
| Serverless Architectures | The best overview on serverless architectures. This article provides an in-depth look at serverless architectures | ||
awesome-serverless-security / Vulnerabilities, Weaknesses, CVEs | |||
| ReDoS in NPM package aws-lambda-multipart-parser | A ReDoS in an NPM package for AWS Lambda functions | ||
| Apache OpenWhisk Action Mutability Weakness | Two vulnerabilities discovered in Apache OpenWhisk | ||
| Serverless Cypto-Mining | Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining | ||
awesome-serverless-security / General Application Security Articles, Books | |||
| The Web Application Hacker’s Handbook | A classic book on web application security | ||
| Web Application Defender’s Cookbook | Another classic, covering ModSecurity protections | ||
| XSS (Cross Site Scripting) Attacks, Exploits & Defense | The XSS bible covering all aspects of XSS attacks and protections | ||
| Hacking Exposed - Web Applications | Another classic book on web application security | ||
| Securing DevOps | Tons of real world examples on DevOps and security | ||
awesome-serverless-security / AWS Lambda (General) | |||
| Serverless Architectures on AWS | This book teaches you how to build, secure and manage serverless architectures | ||
| Tips & Tricks for logging and monitoring AWS Lambda Functions | Tips to help you get the most out of your logging and monitoring infrastructure for your functions | ||
awesome-serverless-security / Other Interesting Articles / Web Pages | |||
| Google gVisor | 15,851 | 5 days ago | GitHub repo for Google gVisor project |
| Google gVisor & Google Cloud Functions | A blog post covering Google gVisor and how it is used with Google Cloud Functions | ||
| IBM Cloud Functions - Platform Architecture | OpenWhisk & IBM Cloud Functions overview | ||
hack-with-github/awesome-hacking
bayandin/awesome-awesomeness
enaqx/awesome-pentest
jnv/lists
anaibol/awesome-serverless
0ex/more-awesome
netanmangal/awesome-hacking