awesome-serverless-security
github.com/puresec/awesome-serverless-security ↗A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me vulnerabilities, weaknesses, cves resources from awesome-serverless-security"
Installation instructions →What's inside
Vulnerabilities, Weaknesses, CVEs
- Apache OpenWhisk Action Mutability Weakness
Two vulnerabilities discovered in Apache OpenWhisk.
- ReDoS in NPM package aws-lambda-multipart-parser
A ReDoS in an NPM package for AWS Lambda functions.
- Serverless Cypto-Mining
Exploiting app layer vulnerabilities in serverless functions to abuse AWS Lambda for crypto-mining.
AWS Lambda Security
- A Serverless Journey: AWS Lambda under the hood
Great talk on how Lambda works, introduction to Firecracker.
- Attacking an AWS Account via a Lambda Function
An article from DarkReading, describing attackers and defenders side of a real serverless bounty hunt.
- AWS IAM best practices
Early AWS materials on IAM best practices.
- AWS Lambda Security Best-Practices eBook
PDF eBook covering all the basics such as: Serverless Top 10, IAM roles & permissions, CloudTrail, AWS Config, API Gateway security.
- AWS Lambda Security - Design for Failure
Notes on the importance of IAM permissions for AWS Lambda.
- AWS Lambda Security Quick-Start Guide
A quick start guide portraying security strategies for AWS Lambda applications.
Security Tools / Solutions
- Auto-Generate Least Privileged IAM Roles for AWS Lambda
A Serverless framework plugin for automatically generating least privileged roles using static analysis.
- Automated SQL Injection Testing of Serverless Functions
An open source proxy for using SQLMap to test AWS Lambda, natively.
- OWASP ServerlessGoat
A vulnerable AWS Lambda serverless application.
- PureSec Serverless Security Platform
The world's first and most advanced end-to-end serverless security platform.
- Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda
A step by step guide for secure serverless CI/CD.
Azure Functions Security
- Azure Functions & Serverless Platform Security
Some basics on Azure functions security.
- Identity & Secure Resource Access in App Service & Azure Functions
Explores features in App Service or Azure functions which make working with identities simple (Build Conference).
- Run Your Azure Functions from a Package File
Deploying immutable Azure functions.
- Secure Azure Functions with JWT access tokens
A blog post on how to use JWT access tokens with Azure functions.
- Security in Azure App Service & Azure Functions
More basic concepts for Azure functions.
Serverless Risks / General
- CSA: The 12 Most Critical Risks for Serverless Applications 2019
The most extensive guide on the top risks for serverless applications (Cloud Security Alliance & PureSec).
- Hacking Serverless Runtimes
Good early insights presentation from BlackHat conference 2017.
- Peeking Behind the Curtains of Serverless Platforms
Provides insights into architectures, resource utilization, and the performance isolation efficiency of AWS Lambda, GCF and Azure Functions.
- Securing Cloud via Serverless Design Patterns
Six serverless design patterns to build security services in the cloud.
- Securing Serverless: A Newbie's Guide
A terrific newbie's guide by Jeremy Daly.
- Securing serverless blog series
Blog series covering the main differences between security traditional applications and serverless.
Google Cloud Functions Security
- Function Identity
Documentation for Google Cloud Functions IAM and per-function identity.
Other Interesting Articles / Web Pages
- Google gVisor
GitHub repo for Google gVisor project.
- Google gVisor & Google Cloud Functions
A blog post covering Google gVisor and how it is used with Google Cloud Functions.
- IBM Cloud Functions - Platform Architecture
OpenWhisk & IBM Cloud Functions overview.
General Application Security Articles, Books
- Hacking Exposed - Web Applications
Another classic book on web application security.
- Securing DevOps
Tons of real world examples on DevOps and security.
- The Web Application Hacker’s Handbook
A classic book on web application security.
- Web Application Defender’s Cookbook
Another classic, covering ModSecurity protections.
- XSS (Cross Site Scripting) Attacks, Exploits & Defense
The XSS bible covering all aspects of XSS attacks and protections.
Showing a sample of 49 resources. View the full list on GitHub →