Learning Serverless Security

Learning Serverless Security

by Joshua Arvin Lat
Released December 2025
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098149017

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Despite the increased adoption of serverless computing services around the world, a big gap still exists when it comes to serverless security knowledge and expertise. This gap comes with a steep price: the increased risk of data breaches as more companies store their data in the cloud.

This practical guide covers the relevant offensive and defensive security techniques to audit and secure serverless applications running on AWS, Azure, and Google Cloud. You'll learn how to attack and defend a variety of vulnerable serverless applications using the step-by-step instructions. By the end of this book, you'll have a solid understanding on how to prevent a variety of serverless application attacks and privilege escalation techniques.

Author Joshua Arvin Lat, chief technology officer at NuWorks Interactive Labs and AWS Machine Learning Hero, shows you how to:

  • Identify and exploit vulnerabilities within modern serverless applications
  • Perform privilege escalation techniques in cloud environments
  • Use automated tools and services for offensive and defensive security
  • Configure authentication and identity services properly on AWS, Azure, and Google Cloud
  • Implement security strategies and best practices to prevent a variety of serverless application attacks
  • Audit serverless environments using a variety of security tools and frameworks

Publisher resources

View/Submit Errata

Table of contents

  1. 1. Introduction to Serverless Computing
    1. Demystifying Serverless Computing
    2. Common Myths and Misconceptions on Serverless Computing
      1. Myth # 1: Serverless == FaaS
      2. Myth # 2: Serverless computing and containerization don’t work well together
      3. Myth # 3: Serverless applications only support a limited number of languages
      4. Myth # 4: Serverless applications are difficult to manage
      5. Myth # 5: Serverless applications are immune to security attacks
  2. 2. Understanding Serverless Architectures and Implementation Patterns
    1. Serverless Services in the Public Cloud
      1. Serverless Services on AWS
      2. Serverless Services on Azure
      3. Serverless Services on GCP
    2. Serverless Architectures and Common Implementation Patterns
      1. Serverless Web Applications and APIs
      2. Event-driven Architectures
      3. Serverless Distributed Data Management
      4. Authentication and Authorization in Serverless Applications
      5. Serverless Containers
      6. Serverless Workflow Orchestration
      7. Serverless CI/CD Pipelines
      8. Centralized Logging and Monitoring
    3. Development and Deployment Tools and Frameworks
      1. Command Line Tools
      2. SDKs
      3. Frameworks
      4. IaC Tools
  3. 3. Getting Started with Serverless Security
    1. Introduction to Serverless Security
    2. Understanding How Identity and Access Management works in the Cloud
      1. AWS
      2. Azure
      3. GCP
    3. Attack Chains on Serverless Applications
    4. Guidelines for performing Penetration Tests in the Cloud
    5. Summary
  4. 4. Diving Deeper into Serverless Security Threats and Risks
    1. Leaked Credentials
    2. Over-Privileged Permissions & Roles
    3. Broken Authentication
    4. Insecure VPC Network Configuration
    5. Credentials Exfiltration
    6. Injection
    7. Vulnerable App Dependencies
    8. Security Misconfiguration and Insecure Defaults
    9. Insecure Deserialization
    10. Denial of Service & Denial of Wallet
    11. Insecure Storage of Credentials and Secret Keys
    12. Insufficient Tracing, Logging, Monitoring, and Alerting
    13. Business Logic Vulnerabilities
    14. Serverless Security Mechanism Limitations
    15. Summary
  5. 5. Understanding how Serverless Functions Work
    1. Creating our first Serverless Function
    2. How Serverless Functions are used in Modern Applications
    3. Summary
  6. 6. Hacking Serverless Functions
    1. Considerations when attacking Serverless Functions
    2. How Serverless Functions can be attacked
    3. Summary
  7. 7. Securing Serverless Functions
    1. Diving deeper into how the attack on the Serverless Function was performed
    2. How the attack could have been prevented
    3. Strategies to secure Serverless Functions on AWS
    4. Strategies to secure Serverless Functions on Azure
    5. Strategies to secure Serverless Functions on GCP
  8. 8. Understanding how Authentication and Identity Services Work
    1. How Authentication and Identity Services are used in Modern Applications
    2. Considerations when attacking Misconfigured Authentication and Identity Services
    3. How Misconfigured Authentication and Identity Services can be attacked
  9. About the Author

Product information

  • Title: Learning Serverless Security
  • Author(s): Joshua Arvin Lat
  • Release date: December 2025
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098149017