{"id":13449182,"url":"https://github.com/puresec/awesome-serverless-security","last_synced_at":"2026-01-27T01:04:00.447Z","repository":{"id":38206110,"uuid":"165110213","full_name":"puresec/awesome-serverless-security","owner":"puresec","description":"A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.","archived":false,"fork":false,"pushed_at":"2022-05-05T06:10:36.000Z","size":150,"stargazers_count":606,"open_issues_count":4,"forks_count":93,"subscribers_count":35,"default_branch":"master","last_synced_at":"2025-03-18T04:01:44.681Z","etag":null,"topics":["awesome","aws-lambda","azure-function-apps","google-cloud-functions","ibm-cloud-functions","security","serverless-applications","serverless-architectures"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/puresec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-01-10T18:25:35.000Z","updated_at":"2025-03-06T04:36:20.000Z","dependencies_parsed_at":"2022-07-14T11:30:45.408Z","dependency_job_id":null,"html_url":"https://github.com/puresec/awesome-serverless-security","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puresec%2Fawesome-serverless-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puresec%2Fawesome-serverless-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puresec%2Fawesome-serverless-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puresec%2Fawesome-serverless-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/puresec","download_url":"https://codeload.github.com/puresec/awesome-serverless-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245028943,"owners_count":20549623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome","aws-lambda","azure-function-apps","google-cloud-functions","ibm-cloud-functions","security","serverless-applications","serverless-architectures"],"created_at":"2024-07-31T06:00:32.920Z","updated_at":"2026-01-27T01:04:00.294Z","avatar_url":"https://github.com/puresec.png","language":null,"readme":"# :lock: awesome-serverless-security [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\nA curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.\n\n## Contents\n- [AWS Lambda Security](#aws-lambda-security)\n- [Security Tools / Solutions](#security-tools--solutions)\n- [Azure Functions Security](#azure-functions-security)\n- [Google Cloud Functions Security](#google-cloud-functions-security)\n- [Serverless Risks / General](#serverless-risks--general)\n- [Vulnerabilities, Weaknesses, CVEs](#vulnerabilities-weaknesses-cves)\n- [General Application Security Articles, Books](#general-application-security-articles-books)\n- [AWS Lambda (General)](#aws-lambda-general)\n- [Other Interesting Articles / Web Pages](#other-interesting-articles--web-pages)\n## AWS Lambda Security\n- [AWS Lambda Security Best-Practices eBook](https://www.puresec.io/aws-lambda-security-best-practices) - PDF eBook covering all the basics such as: Serverless Top 10, IAM roles \u0026 permissions, CloudTrail, AWS Config, API Gateway security. \n- [Foundations of AWS Lambda Security](https://www.puresec.io/on-demand-foundations-of-aws-lambda-security) - Webinar recording covering AWS Lambda security basics, IAM permissions, Scalability, Governance. \n- [AWS Lambda Security Quick-Start Guide](https://www.puresec.io/blog/aws-lambda-security-quick-guide) - A quick start guide portraying security strategies for AWS Lambda applications. \n- [AWS Lambda Security - Design for Failure](https://www.puresec.io/blog/aws-security-best-practices-aws-lambda-security-design-for-failure) - Notes on the importance of IAM permissions for AWS Lambda. \n- [Attacking an AWS Account via a Lambda Function](https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047) - An article from DarkReading, describing attackers and defenders side of a real serverless bounty hunt. \n- [Minimizing the attack surface in Serverless](https://www.slideshare.net/avi_shulman/serverless-minimizing-the-attack-surface) - Presentation covering the basics of serverless attack surfaces. \n- [Gone in 60 milliseconds: Offensive security in the serverless age](https://www.youtube.com/watch?v=byJBR16xUnc) - A presentation video showing attack vectors using cloud event sources, exploitabilities in common serverless patterns and frameworks. \n- [Security Best Practices for Serverless Applications](https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks) -  Basic best-practices for AWS Lambda. \n- [AWS IAM best practices](https://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014) - Early AWS materials on IAM best practices. \n- [The Many-Faced Threats to the Serverless World](https://www.slideshare.net/theburningmonk/security-in-serverless-world-96644428) - An article covering most of the basic security risks.\n- [How to Encrypt Serverless Environment Variable Secrets with KMS](https://www.metaltoad.com/blog/how-to-encrypt-serverless-environment-variable-secrets-with-kms) - Fundamentals of secrets handling with AWS KMS. \n- [Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store](https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/) - How to use parameter store for secrets. \n- [A Serverless Journey: AWS Lambda under the hood](https://www.youtube.com/watch?v=QdzV04T_kec) - Great talk on how Lambda works, introduction to Firecracker. \n- [Security Considerations for AWS Lambda Runtime API and Layers](https://www.puresec.io/blog/aws-lambda-security-considerations-runtime-api-and-layers) - A blog post on what to keep in mind when developing with Layers \u0026 Runtime API. \n- [The FireCracker Virtual Machine Monitor](https://lwn.net/Articles/775736/) - An analysis of AWS Firecracker. \n- [AWS Lambda Serverless Security Workshop](https://github.com/aws-samples/aws-serverless-security-workshop) - Learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora (Re:Invent 2018 workshop).\n## Security Tools / Solutions\n- [PureSec Serverless Security Platform](https://www.puresec.io/product) - The world's first and most advanced end-to-end serverless security platform. \n- [PureSec FunctionShield](https://www.puresec.io/function-shield) - A free AWS Lambda security and Google Cloud Functions library for developers.\n- [Automated SQL Injection Testing of Serverless Functions](https://www.puresec.io/blog/automated-sql-injection-testing-of-serverless-functions-on-a-shoestring-budget-and-some-good-music) -  An open source proxy for using SQLMap to test AWS Lambda, natively.\n- [Auto-Generate Least Privileged IAM Roles for AWS Lambda](https://www.puresec.io/blog/generating-least-privileged-iam-roles-for-aws-lambda-functions-the-easy-way) - A Serverless framework plugin for automatically generating least privileged roles using static analysis. \n- [OWASP ServerlessGoat](https://www.owasp.org/index.php/OWASP_Serverless_Goat) -  A vulnerable AWS Lambda serverless application. \n- [Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda](https://blog.codeship.com/secure-serverless-ci-cd-with-codeship-puresec-and-aws-lambda/) - A step by step guide for secure serverless CI/CD.\n## Azure Functions Security\n- [Azure Functions \u0026 Serverless Platform Security](https://gallery.technet.microsoft.com/Azure-Functions-and-c6449f8d) - Some basics on Azure functions security. \n- [Run Your Azure Functions from a Package File](https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package) - Deploying immutable Azure functions. \n- [Security in Azure App Service \u0026 Azure Functions](https://docs.microsoft.com/en-us/azure/app-service/app-service-security) -  More basic concepts for Azure functions. \n- [Identity \u0026 Secure Resource Access in App Service \u0026 Azure Functions](https://www.youtube.com/watch?v=iFDXDQXRJ8Y) - Explores features in App Service or Azure functions which make working with identities simple (Build Conference). \n- [Secure Azure Functions with JWT access tokens](https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/) - A blog post on how to use JWT access tokens with Azure functions.\n## Google Cloud Functions Security\n- [Function Identity](https://cloud.google.com/functions/docs/securing/function-identity) -  Documentation for Google Cloud Functions IAM and per-function identity.\n## Serverless Risks / General\n- [CSA: The 12 Most Critical Risks for Serverless Applications 2019](https://www.puresec.io/serverless-security-top-12-csa-puresec) - The most extensive guide on the top risks for serverless applications (Cloud Security Alliance \u0026 PureSec).\n- [Securing serverless blog series](https://www.puresec.io/blog/tag/securing-serverless-blog-series) - Blog series covering the main differences between security traditional applications and serverless. \n- [Securing Serverless: A Newbie's Guide](https://www.jeremydaly.com/securing-serverless-a-newbies-guide/) - A terrific newbie's guide by Jeremy Daly. \n- [Serverless Security: What are we up against](https://www.youtube.com/watch?v=M7wUanfWs1c\u0026t=2s) - A conference talk from ServerlessDays covering serverless security basics. \n- [Hacking Serverless Runtimes](https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf) - Good early insights presentation from BlackHat conference 2017.\n- [Serverless Security and Things that Go Bump in the Night](https://qconnewyork.com/ny2017/system/files/presentation-slides/serverless_security_and_things_that_go_bump_in_the_night_-_qcon_nyc_2017.pdf) -  QCon NYC presentation by Silvexis covering security basics for serverless.\n- [Securing Cloud via Serverless Design Patterns](https://www.usenix.org/system/files/conference/hotcloud18/hotcloud18-paper-hong.pdf) - Six serverless design patterns to build security services in the cloud. \n- [Peeking Behind the Curtains of Serverless Platforms](https://www.usenix.org/system/files/conference/atc18/atc18-wang-liang.pdf) -  Provides insights into architectures, resource utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions.\n- [Serverless Architectures](https://martinfowler.com/articles/serverless.html) - The best overview on serverless architectures. This article provides an in-depth look at serverless architectures. \n## Vulnerabilities, Weaknesses, CVEs\n- [ReDoS in NPM package aws-lambda-multipart-parser](https://www.puresec.io/blog/redos-vulnerability-in-aws-lambda-multipart-parser-node-package) - A ReDoS in an NPM package for AWS Lambda functions. \n- [Apache OpenWhisk Action Mutability Weakness](https://www.puresec.io/blog/apache_openwhisk_mutability_weakness) - Two vulnerabilities discovered in Apache OpenWhisk.\n- [Serverless Cypto-Mining](https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining) - Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining.\n## General Application Security Articles, Books\n- [The Web Application Hacker’s Handbook](https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/) - A classic book on web application security.\n- [Web Application Defender’s Cookbook](https://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/) - Another classic, covering ModSecurity protections. \n- [XSS (Cross Site Scripting) Attacks, Exploits \u0026 Defense](https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/) - The XSS bible covering all aspects of XSS attacks and protections.\n- [Hacking Exposed - Web Applications](https://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643) - Another classic book on web application security.\n- [Securing DevOps](https://www.manning.com/books/securing-devops?a_aid=securingdevops\u0026a_bid=1353bcd8) -  Tons of real world examples on DevOps and security.\n## AWS Lambda (General)\n- [Serverless Architectures on AWS](https://www.amazon.com/Serverless-Architectures-AWS-examples-Lambda/dp/1617293822/) - This book teaches you how to build, secure and manage serverless architectures.\n- [Tips \u0026 Tricks for logging and monitoring AWS Lambda Functions](https://hackernoon.com/tips-and-tricks-for-logging-and-monitoring-aws-lambda-functions-885af6da29a5) - Tips to help you get the most out of your logging and monitoring infrastructure for your functions .\n## Other Interesting Articles / Web Pages\n- [Google gVisor](https://github.com/google/gvisor) -  GitHub repo for Google gVisor project. \n- [Google gVisor \u0026 Google Cloud Functions](https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html) - A blog post covering Google gVisor and how it is used with Google Cloud Functions.\n- [IBM Cloud Functions - Platform Architecture](https://console.bluemix.net/docs/openwhisk/openwhisk_about.html#openwhisk_about) - OpenWhisk \u0026 IBM Cloud Functions overview. \n## License\n[![CC0](http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg)](https://creativecommons.org/publicdomain/zero/1.0/)\nTo the extent possible under law, [PureSec](https://www.puresec.io) has waived all copyright and related or neighboring rights to this work.\n","funding_links":[],"categories":["Others","\u003ca id=\"a4ee2f4d4a944b54b2246c72c037cd2e\"\u003e\u003c/a\u003e收集\u0026\u0026集合","Technical","\u003ca id=\"e97d183e67fa3f530e7d0e7e8c33ee62\"\u003e\u003c/a\u003e未分类","Other Recommended Lists","Other Lists","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","Education Best Practices","Web","Security"],"sub_categories":["\u003ca id=\"e97d183e67fa3f530e7d0e7e8c33ee62\"\u003e\u003c/a\u003e未分类","awesome-*","\u003ca id=\"f110da0bf67359d3abc62b27d717e55e\"\u003e\u003c/a\u003e新添加的","TeX Lists","Secure OSes"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpuresec%2Fawesome-serverless-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpuresec%2Fawesome-serverless-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpuresec%2Fawesome-serverless-security/lists"}