Serverless Security

Risk Mitigation Tools for Serverless

  • Home
  • Risk Assessment
  • Tools
Serverless 4 Tools 28th Aust 2019

10 Common Security Concerns for Serverless

Traditional approach is to secure the network and servers but in serverless you have no control over the network or servers

10 Common Serverless Security Concerns
PureSec ID Risk Tools
SAS01 Data injection Template modelling, Puresec Lambda-Proxy
SAS02 Broken authentication Cognito
SAS03 Insecure deployment configuration Source control
SAS04 Over privileged permissions Audits
SAS05 Inadequate monitoring and logging CloudTrail
SAS06 Insecure 3rd party dependencies Audits
SAS07 Insecure secrets storage KMS, Secrets Manager
SAS08 Denial of service and denial of wallet AWS Shield
SAS09 Execution flow manipulation Puresec Function Shield
SAS10 Improper exception handling and verbose error messages. Security design reviews

‘Dance Like Nobody’s Watching. Encrypt Like Everyone Is’

Werner Vogels



Automated security testing is lagging development and deployment technology but Open Source Free Tools can improve your defences

Mostly for JavaScript or Python


PureSec Lambda-Proxy

for testing AWS Lambda functions


Serverless CLI

Auto-generate least-privilege IAM for AWS Lambda functions. Separate IAM role for each function to reduce blast radius of attacks


FunctionShield

Free library from Puresec.io for hardening AWS Lambda functions by preventing data leakage


Nordstrom Artillery

npm package enabling stress testing for serverless

  • Share: