Recommended Reading: Serverless Security, Application Security and Other Serverless Related Topics

From time to time, I’m getting asked to recommend books, articles, blog posts or conference talks related to AWS lambda security, serverless security, application security, and security testing. I decided to put my list of recommendations into a blog post, which I will update as new materials become available, or when I spot additional resources.

The main topics I’m referencing to are: General application security, serverless security (AWS Lambda security, Azure Functions security, Google Cloud Functions security, and IBM Cloud Functions security), serverless risks and best practices.

If the list looks half-baked, it’s because it is a work in progress. Shoot me an email if you feel I’ve forgotten anything important.   

AWS Lambda Security:

• Minimizing the attack surface in Serverless: https://www.slideshare.net/avi_shulman/serverless-minimizing-the-attack-surface
• Gone in 60 milliseconds: Offensive security in the serverless age (Rich Jones): https://www.youtube.com/watch?v=byJBR16xUnc 
• Security Best Practices for Serverless Applications: https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks 
• AWS IAM best practices: https://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014 
• The Many-Faced Threats to the Serverless World: https://www.slideshare.net/theburningmonk/security-in-serverless-world-96644428 
• Automated SQL Injection Testing of Serverless Functions on a Shoestring Budget (and some Good Music): https://www.puresec.io/blog/automated-sql-injection-testing-of-serverless-functions-on-a-shoestring-budget-and-some-good-music 
• Generating Least Privileged IAM Roles for AWS Lambda Functions – The Easy Way: https://www.puresec.io/blog/generating-least-privileged-iam-roles-for-aws-lambda-functions-the-easy-way
• How to Encrypt Serverless Environment Variable Secrets with KMS: https://www.metaltoad.com/blog/how-to-encrypt-serverless-environment-variable-secrets-with-kms 
• Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store: https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/ 

Azure Functions Security:

• Identity & Secure Resource Access in App Service & Azure Functions: https://www.youtube.com/watch?v=iFDXDQXRJ8Y 
• Secure Azure Functions with JWT access tokens: https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/ 

Serverless / Function as a Service (FaaS) Security and serverless risks:

• The Ten Most Critical Risks for Serverless Applications v1.0 (Guide): https://github.com/puresec/sas-top-10
• Securing Serverless (Blog Series): https://www.puresec.io/blog/tag/securing-serverless-blog-series
• Serverless Security: What are we up against? https://www.youtube.com/watch?v=M7wUanfWs1c&t=2s
• Unraveling the truth around serverless security: https://www.youtube.com/watch?v=a5RfAMOrEW0 
• Hacking Serverless Runtimes: Profiling Lambda, Azure and More (presentation): https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf
• Serverless Security & Things that Go Bump in the Night: https://qconnewyork.com/ny2017/system/files/presentation-slides/serverless_security_and_things_that_go_bump_in_the_night_-_qcon_nyc_2017.pdf 
• Go Serverless: Securing Cloud via Serverless Design Patterns (whitepaper): https://www.usenix.org/system/files/conference/hotcloud18/hotcloud18-paper-hong.pdf
• Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda: https://blog.codeship.com/secure-serverless-ci-cd-with-codeship-puresec-and-aws-lambda/ 

General Application Security Articles & Books:

• The Web Application Hacker’s Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/
• Web Application Defender’s Cookbook: https://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/
• XSS (Cross Site Scripting) Attacks, Exploits & Defense: https://www.amazon.com/Attacks-CROSS-SCRIPTING-EXPLOITS-DEFENSE-ebook

AWS Lambda (General):

• Serverless Architectures on AWS: ttps://www.amazon.com/Serverless-Architectures-AWS-examples-Lambda/dp/1617293822/

• Tips & Tricks for logging and monitoring AWS Lambda Functions: https://hackernoon.com/tips-and-tricks-for-logging-and-monitoring-aws-lambda-functions-885af6da29a5

Other Interesting Articles / Web Pages:

• Google gVisor: https://github.com/google/gvisor

• Google gVisor & Google Cloud Functions: https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html

• IBM Cloud Functions – Platform Architecture: https://console.bluemix.net/docs/openwhisk/openwhisk_about.html#openwhisk_about