Image for post
Image for post
Photo by Dmitry Ratushny on Unsplash

The Serverless Framework support numerous plugins — and they are great! They save so much time in deploying our serverless applications. Why reinvent the wheel? This convenience comes with a downside: not all plugins are written securely. We must choose our plugins wisely, which means we should inspect the source code.

What are Serverless Framework plugins?

The Serverless Framework allow us to use plugins (or create one) that hook into the lifecycle events during the deploy process. We can hook into the “before:deploy:deploy” event to setup files and variables before the deploy begins. We can hook into the “deploy:finalize” hook to save some information about the deployment. …

Image for post
Image for post
Photo by Stephen Phillips - on Unsplash

The days of having one email address are over. We are putting all our eggs in one basket by having one address. If someone hacks that account, we could be in big trouble.

Guessing An Email Address

Guessing an email address can be easy. We can guess an email address by trying any of the following:


What is the chance you have this email address?

Social Media Accounts

We often post too much information on social media accounts. We post our name, location, recent activity, links, and more. Someone can use this information to deduce information. They can guess an email address, figure out security questions, or even take it over. …

Image for post
Image for post
Photo by William Iven on Unsplash

A few friends and I chat about stocks, share ideas, and encourage each other. A few months ago, I realized we needed some automation to help us find winners. I chose to use a serverless solution to build this system.

There are many good stocks and finding them takes time. We can find them by reading articles, using stock tools, getting tips from Twitter, and many other ways. With so many ways to find stock candidates, we needed to define the process.

Finding a Screener

We decided was a good source to start our automation. One of our team members is a good stock analyst. …

Image for post
Image for post

When I started working with the Serverless Framework I was curious about the security aspect. Previously, I was an information assurance (IA) engineer working on cybersecurity for US government military systems and I had become accustomed to using well-defined processes and requirements as an IA engineer.

The systems we were securing were part of a vast network of other systems with strict IA requirements. The threats seemed limited; and implementing Cybersecurity, in many cases, was following a list of checklists and requirements. But, Cybersecurity in the world of serverless development was a new frontier.

The more I worked with serverless, the more I wondered about its Cybersecurity. Cybersecurity with serverless projects seemed to lack the oversight that I experienced in the IA world. The team could release a serverless application without addressing security. I searched for serverless security and found limited information. I did find some helpful documents on the top serverless security risks and well-written blog posts about specific topics. I was looking for a book that provided an overview of serverless security and guidance on approaching it. …

Image for post
Image for post
Do your serverless deployments go like this?

It’s so easy to quickly deploy serverless resources. Because of this, we should follow best practices to protect our resources, applications, and cloud service provider accounts. Here are some best practices for you to consider.

1. Keep Functions Small

A serverless function should perform a specific function. Similar to a function or method in any code should do one thing (e.g., increment a counter, transform data, etc.), a serverless function show perform a logical function. For example, you would create one serverless function for validating a login, another for validating a login session, another for deactivating a login session. …

Image for post
Image for post
Photo by Michael Geiger on Unsplash

For a couple of weeks, I have been pondering whether my browser extensions could be a source of vulnerabilities. It turns out they can!

A couple of days ago, I received a notification from the Microsoft Edge browser warning me about malware in one of my extensions: The Great Suspender.

Image for post
Image for post
Recommendation for powering an Amazon FireTV Device

Amazon Fire TV devices are pretty nice, but there is the risk they listen to you. In this super short article, I will share how you can minimize the amount of time this device (or a similar device) can listen to you.

  1. Buy an eco-friendly power strip that controls other outlets.
  2. Connect your TV to the master (or control) outlet. This outlet will control when power is delivered to the dependant (or energy saving) outlets.
  3. Connect your Fire TV (or similar device) to the dependant outlet.

Now the Fire TV will only power on when you are watching TV.

BONUS #1: You can unplug the Fire TV USB port when you’re done watching and reconnect it when you want to watch. I suggest doing this because you may not always use your Fire TV when you watch TV. Surprisingly, I still use DVDs and Bluray discs. …

Image for post
Image for post
Photo by Damir Spanic on Unsplash

Serverless environments are growing in popularity because they reduce overhead and costs. But do they necessarily improve your application’s security? Well for a start there are a lot fewer vulnerabilities to exploit. Let’s dig in and explore this a little more.

Serverless environments allow you to build applications without needing to manage and use servers. They allow you to upload your code without worrying about how to configure a server, installing the runtime environment, applying patches, setting up the networking, and identifying all the other tasks needed to run said code. Sounds too good to be true? Wait, there’s more!

Serverless environments can potentially reduce your application’s attack surface. …

Cybersecurity is one of those topic areas we know is essential because having adequate protections helps prevent significant losses. We will discuss measures to improve our cybersecurity posture to avoid becoming a victim of attacks. We will use the OSI Model as a basis.

Image for post
Image for post
Photo by Razvan Chisu on Unsplash

The OSI Model

The OSI Model has seven layers:

  • Layer 1 — Physical
  • Layer 2 — Data Link
  • Layer 3 — Network
  • Layer 4 — Transport
  • Layer 5 — Session
  • Layer 6 — Presentation
  • Layer 7 — Application

These layers represent how data is transmitted between applications using networks. Although this model was originally meant for communication systems, we can leverage the model to define cybersecurity governance to protect our businesses and systems. …

Image for post
Image for post
Photo by Christina Branco on Unsplash

Storing your secrets (e.g., API keys and passwords) in Postman environments might not meet your security requirements. Although they are stored at rest, they are accessible to every team member in plaintext. You can leverage Postman cookies as an alternative because they are local to the machine, the computer user, and the Postman desktop client.

You might be thinking, “Cookies are bad. They are also plain text.”

True. They are, but at least they are not stored in the Postman servers and accessible by every team member.

The Postman Sandbox supports the crypto-js package, which you can use to add more security to the cookie’s value. …


Miguel A. Calles MBA

Miguel is the author of the “Serverless Security” book, and a cybersecurity engineer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store