AWS Security Best Practices: AWS Lambda Security – Design for Failure
For security experts, the terms “Remote Code Execution” (RCE) or “Arbitrary Code Execution” makes the hairs on the back of their neck stand on end. This is because RCE is among the worst-case scenarios of a cyber attack - an attacker that gains RCE on a system, will in most ... Read More
AWS Security Best Practices: Config Rules for AWS Lambda Security
AWS Config Overview When it comes to AWS services, in my mind, I generally divide them into two classes. You have the operative services such as Lambda, S3, and the rest of the TLAs starting and ending with the letter “S”, and then the second class of services are helper/utility ... Read More
AWS Lambda Security: Taming Your Open Source Dependencies With FunctionShield
According to a recent survey of 16,000 developers by Npm inc., 77% of the respondents were concerned with the security of open source software packages ... Read More
Talking Serverless And AWS Lambda Security With Jeff Forristal
Introduction In my previous blog interview with Jeremiah Grossman, I mentioned that throughout the years, I befriended a small group of people, with which every discussion is always intriguing, challenging and truly inspiring. Jeff Forristal is another old acquaintance, who I hold the utmost respect for. Jeff is an accomplished ... Read More
If It Happened To Facebook…
Earlier today, Facebook released a blog post regarding a recent discovered vulnerability in their platform, which apparently got exploited by attackers. Here's an excerpt from the Facebook blog: ... Read More
Talking Serverless Security With Jeremiah Grossman
I always enjoy talking about application security, whenever I have the chance, and with pretty much anyone. Having said that, throughout the years, I was fortunate enough to befriend a small group of people with which every discussion is always intriguing, challenging and truly inspiring. Within this group of people, ... Read More
Musings on Serverless and Application Security With Simon Wardley
While traveling home from ServerlessConf in San Francisco, I bumped into Simon Wardley and we engaged in an hour long discussion on serverless application security. I found the discussion extremely intriguing and thought it would be great to record an informal interview with Simon, and share it with our audience ... Read More
Hacking a Serverless Application (Demo)
In order to demonstrate the security risks and implications of an insecure serverless application, we created an AWS Lambda application, which contains a vulnerability, and on top of that, we applied an over-permissive AWS IAM role to the function. The two security issues can be exploited in order to exfiltrate ... Read More
Recommended Reading: Serverless Security, Application Security and Other Serverless Related Topics
From time to time, I’m getting asked to recommend books, articles, blog posts or conference talks related to AWS lambda security, serverless security, application security, and security testing. I decided to put my list of recommendations into a blog post, which I will update as new materials become available, or ... Read More
5 Simple Questions On Serverless Security, That Every CISO Should Be Ready To Answer
There’s no doubt about it - serverless adoption is skyrocketing. The adoption of serverless architectures on major cloud providers like AWS and Microsoft Azure is growing exponentially at an estimated annual rate of 700%!. The benefits of serverless architectures are clear - organizations can innovate quickly and reduce the costs ... Read More
