A curated list of awesome serverless security resources
Clone or download
Latest commit dfc741b Jan 13, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CONTRIBUTING.md Create CONTRIBUTING.md Jan 13, 2019
LICENSE.md Create LICENSE.md Jan 13, 2019
README.md Update README.md Jan 13, 2019

README.md

🔒 awesome-serverless-security Awesome

A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.

Contents

AWS Lambda Security

Title Description Published By Link
AWS Lambda Security Best-Practices eBook PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions, CloudTrail, AWS Config, API Gateway security, etc. PureSec link
AWS Lambda Security Quick-Start Guide A quick start guide portraying security strategies for AWS Lambda applications PureSec link
AWS Lambda Security - Design for Failure Important notes on the importance of IAM permissions for AWS Lambda PureSec link
Attacking an AWS Account via a Lambda Function An article on DarkReading, describing attackers/defenders side of a real serverless bounty hunt DarkReading link
Minimizing the attack surface in Serverless Presentation PureSec link
Gone in 60 milliseconds: Offensive security in the serverless age (Rich Jones) A must-see Rich Jones (YouTube) link
Security Best Practices for Serverless Applications (AWS tech talk) Basic best-practices for AWS Lambda AWS link
AWS IAM best practices (AWS Re:Invent 2014) Early AWS materials on IAM best practices AWS link
The Many-Faced Threats to the Serverless World A classic, covers most of the basic security risks Yan Cui link
How to Encrypt Serverless Environment Variable Secrets with KMS Basic secrets handling with KMS Dylan Tack link
Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store (AWS) How to use parameter store for secrets AWS link
A Serverless Journey: AWS Lambda under the hood Great talk on how Lambda works, intro to Firecracker AWS (Re:Invent 2018 video) link
Security Considerations for AWS Lambda Runtime API and Layers Things to keep in mind when developing with Layers & Runtime API PureSec link
The (AWS) FireCracker Virtual Machine Monitor An analysis of Firecracker Azhar Desai link
AWS Lambda Serverless Security Workshop Learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora (Re:Invent 2018 workshop) AWS link

Security Tools / Solutions

Title Description Published By Link
PureSec Serverless Security Platform The world's first and most advanced end-to-end serverless security platform PureSec link
PureSec FunctionShield a free AWS Lambda security library for developers PureSec link
Automated SQL Injection Testing of Serverless Functions An open source proxy for using SQLMap to test AWS Lambda, natively PureSec link
Auto-Generate Least Privileged IAM Roles for AWS Lambda A Serverless framework plugin for automatically generating least privileged roles using static analysis PureSec link
OWASP ServerlessGoat A vulnerable AWS Lambda serverless application OWASP link
Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda A step by step guide for secure serverless CI/CD CodeShip & PureSec link

Azure Functions Security

Title Description Published By Link
TechNet Article: Azure Functions & Serverless Platform Security Some basics on Azure functions security Microsoft link
Run Your Azure Functions from a Package File Immutable Azure functions Microsoft link
Security in Azure App Service & Azure Functions More basics Microsoft link
Identity & Secure Resource Access in App Service & Azure Functions Explores features in App Service or Azure Functions which make working with identities simple (Build Conference) Microsoft (YouTube) link
Secure Azure Functions with JWT access tokens Blog post Boris Wilhelms link

Serverless Risks / General

Title Description Published By Link
The Ten Most Critical Risks for Serverless Applications v1.0 (Guide) The most comprehensive list of risks to serverless applications PureSec/Community link
Securing Serverless (Blog Series, by PureSec) Blog series covering the main differences between security traditional applications and serverless PureSec link
Securing Serverless: A Newbie's Guide (Jeremy Daly) A terrific newbie's guide Jeremy Daly link
Serverless Security: What are we up against (Talk) Conference Talk (ServerlessDays) Ory Segal link
Unraveling the truth around serverless security A discussion between Rupak Ganguly (Serverless Inc.) and Ory Segal (CTO, PureSec) (Serverless Inc + PureSec Webinar) link
Hacking Serverless Runtimes: Profiling Lambda, Azure and More (BlackHat presentation) Good early insights Andrew Krug, Graham Jones (BlackHat Conf.) link
Serverless Security & Things that Go Bump in the Night QCon NYC Erik Peterson / CloudZero link
Go Serverless: Securing Cloud via Serverless Design Patterns (whitepaper) Six serverless design patterns to build security services in the cloud Sanghyun Hong, Abhinav Srivastava, William Shambrook, Tudor Dumitras link
Peeking Behind the Curtains of Serverless Platforms Provides insights into architectures, resource utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions (pdf) Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, Michael Swift link
Serverless Architectures THE overview on Serverless Architectures. This article provides an in-depth look at serverless architecture Mike Roberts (at MartinFowler.com) link

Vulnerabilities, Weaknesses, CVEs

Title Description Published By Link
ReDoS in NPM package 'aws-lambda-multipart-parser' A ReDoS in an NPM package used to attack AWS Lambda applications PureSec / CVE link
Apache OpenWhisk Action Mutability Weakness 2 vulnerabilities discovered in Apache OpenWhisk (CVEs) PureSec link
Serverless Cypto-Mining Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining PureSec link

General Application Security Articles, Books

Title Description Published By Link
The Web Application Hacker’s Handbook A classic book (Book, Amazon) Dafydd Stuttard, Marcus Pinto link
Web Application Defender’s Cookbook (Book, Amazon) Another classic, covering ModSecurity Ryan Barnett link
XSS (Cross Site Scripting) Attacks, Exploits & Defense The XSS bible (Book, Amazon) Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov link
Hacking Exposed - Web Applications A Classic (Book, Amazon) Joel Scambray, Vincent Liu, Caleb Sima link
Securing DevOps Tons of real world examples (Book, Manning) Julien Vehent link

AWS Lambda (General)

Title Description Published By Link
Serverless Architectures on AWS Teaches you how to build, secure and manage serverless architectures (Book, Amazon) Peter Sbarski link
Tips & Tricks for logging and monitoring AWS Lambda Functions Tips to help you get the most out of your logging and monitoring infrastructure for your functions Yan Cui link

Other Interesting Articles / Web Pages

Title Description Published By Link
Google gVisor: Github repo Google link
Google gVisor & Google Cloud Functions Blog post Google link
IBM Cloud Functions - Platform Architecture OpenWhisk & IBM Cloud Functions overview IBM link

License

CC0

To the extent possible under law, PureSec has waived all copyright and related or neighboring rights to this work.