A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
| Title | Description | Published By | Link | -------| ------------ | ----------- | ---- | AWS Lambda Security Best-Practices eBook | PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions, CloudTrail, AWS Config, API Gateway security, etc. | PureSec | link | | AWS Lambda Security Quick-Start Guide | A quick start guide portraying security strategies for AWS Lambda applications | PureSec | link | | AWS Lambda Security - Design for Failure | Important notes on the importance of IAM permissions for AWS Lambda | PureSec | link | | Attacking an AWS Account via a Lambda Function | An article on DarkReading, describing attackers/defenders side of a real serverless bounty hunt | DarkReading | link | | Minimizing the attack surface in Serverless | Presentation | PureSec | link | | Gone in 60 milliseconds: Offensive security in the serverless age (Rich Jones) | A must-see | Rich Jones (YouTube) | link | | Security Best Practices for Serverless Applications (AWS tech talk) | Basic best-practices for AWS Lambda | AWS | link | | AWS IAM best practices (AWS Re:Invent 2014) | Early AWS materials on IAM best practices | AWS | link | | The Many-Faced Threats to the Serverless World | A classic, covers most of the basic security risks | Yan Cui | link | | How to Encrypt Serverless Environment Variable Secrets with KMS | Basic secrets handling with KMS | Dylan Tack | link | | Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store (AWS) | How to use parameter store for secrets | AWS | link | | A Serverless Journey: AWS Lambda under the hood | Great talk on how Lambda works, intro to Firecracker | AWS (Re:Invent 2018 video) | link | | Security Considerations for AWS Lambda Runtime API and Layers | Things to keep in mind when developing with Layers & Runtime API | PureSec | link | | The (AWS) FireCracker Virtual Machine Monitor | An analysis of Firecracker | Azhar Desai | link | | AWS Lambda Serverless Security Workshop | Learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora (Re:Invent 2018 workshop)| AWS | link
| Title | Description | Published By | Link | -------| ------------ | ----------- | ---- | PureSec Serverless Security Platform | The world's first and most advanced end-to-end serverless security platform | PureSec | link | | PureSec FunctionShield | a free AWS Lambda security library for developers | PureSec | link | | Automated SQL Injection Testing of Serverless Functions | An open source proxy for using SQLMap to test AWS Lambda, natively | PureSec | link | | Auto-Generate Least Privileged IAM Roles for AWS Lambda | A Serverless framework plugin for automatically generating least privileged roles using static analysis | PureSec | link | | OWASP ServerlessGoat | A vulnerable AWS Lambda serverless application | OWASP | link | | Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda | A step by step guide for secure serverless CI/CD | CodeShip & PureSec | link |
| Title | Description | Published By | Link | -------| ------------ | ----------- | ---- | TechNet Article: Azure Functions & Serverless Platform Security | Some basics on Azure functions security | Microsoft | link | | Run Your Azure Functions from a Package File | Immutable Azure functions | Microsoft | link | | Security in Azure App Service & Azure Functions | More basics | Microsoft | link | | Identity & Secure Resource Access in App Service & Azure Functions | Explores features in App Service or Azure Functions which make working with identities simple (Build Conference) | Microsoft (YouTube) | link | | Secure Azure Functions with JWT access tokens | Blog post | Boris Wilhelms | link |
| Title | Description | Published By | Link | -------| ------------ | ----------- | ---- | The Ten Most Critical Risks for Serverless Applications v1.0 (Guide) | The most comprehensive list of risks to serverless applications | PureSec/Community | link | | Securing Serverless (Blog Series, by PureSec) | Blog series covering the main differences between security traditional applications and serverless | PureSec | link | | Securing Serverless: A Newbie's Guide (Jeremy Daly) | A terrific newbie's guide | Jeremy Daly | link | | Serverless Security: What are we up against (Talk) | Conference Talk (ServerlessDays) | Ory Segal | link | | Unraveling the truth around serverless security | A discussion between Rupak Ganguly (Serverless Inc.) and Ory Segal (CTO, PureSec) | (Serverless Inc + PureSec Webinar) | link | | Hacking Serverless Runtimes: Profiling Lambda, Azure and More (BlackHat presentation) | Good early insights | Andrew Krug, Graham Jones (BlackHat Conf.) | link | | Serverless Security & Things that Go Bump in the Night | QCon NYC | Erik Peterson / CloudZero | link | | Go Serverless: Securing Cloud via Serverless Design Patterns (whitepaper) | Six serverless design patterns to build security services in the cloud | Sanghyun Hong, Abhinav Srivastava, William Shambrook, Tudor Dumitras | link | | Peeking Behind the Curtains of Serverless Platforms | Provides insights into architectures, resource utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions (pdf)| Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, Michael Swift | link | Serverless Architectures | THE overview on Serverless Architectures. This article provides an in-depth look at serverless architecture | Mike Roberts (at MartinFowler.com) | link
| Title | Description | Published By | Link | -------| ------------ | ----------- | ---- | ReDoS in NPM package 'aws-lambda-multipart-parser' | A ReDoS in an NPM package used to attack AWS Lambda applications | PureSec / CVE | link | | Apache OpenWhisk Action Mutability Weakness | 2 vulnerabilities discovered in Apache OpenWhisk (CVEs) | PureSec | link | | Serverless Cypto-Mining | Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining | PureSec | link |
| Title | Description | Published By | Link | -------| ------------ | ----------- | ---- | The Web Application Hackerâs Handbook | A classic book (Book, Amazon)| Dafydd Stuttard, Marcus Pinto | link | | Web Application Defenderâs Cookbook (Book, Amazon) | Another classic, covering ModSecurity | Ryan Barnett | link | | XSS (Cross Site Scripting) Attacks, Exploits & Defense | The XSS bible (Book, Amazon)| Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov | link | | Hacking Exposed - Web Applications | A Classic (Book, Amazon)| Joel Scambray, Vincent Liu, Caleb Sima | link | | Securing DevOps | Tons of real world examples (Book, Manning) | Julien Vehent | link |
| Title | Description | Published By | Link | -------| ------------ | ----------- | ---- | Serverless Architectures on AWS | Teaches you how to build, secure and manage serverless architectures (Book, Amazon)| Peter Sbarski | link | | Tips & Tricks for logging and monitoring AWS Lambda Functions | Tips to help you get the most out of your logging and monitoring infrastructure for your functions | Yan Cui | link |
| Title | Description | Published By | Link | -------| ------------ | ----------- | ---- | Google gVisor: | Github repo | Google | link | | Google gVisor & Google Cloud Functions | Blog post | Google | link | | IBM Cloud Functions - Platform Architecture | OpenWhisk & IBM Cloud Functions overview | IBM | link |
To the extent possible under law, PureSec has waived all copyright and related or neighboring rights to this work.