Serverless Security Testing: Lambda, Functions, and Cloud Run

Execution Role Testing

Every serverless function runs with an IAM role that defines what cloud resources it can access. Testing evaluates whether roles follow least-privilege, whether functions share roles (amplifying blast radius), and whether role permissions enable privilege escalation through service chaining.

Event Source Injection

Serverless functions are triggered by events—API Gateway requests, S3 uploads, SQS messages, CloudWatch events. Each event source is a potential injection vector. Testing evaluates input validation at the event source level, not just within the function code.

Environment Variables and Secrets

Functions frequently store configuration and secrets in environment variables—visible to anyone with function read access. Testing checks for plaintext secrets, sensitive configuration exposure, and whether functions use proper secrets management (Secrets Manager, Parameter Store, Key Vault) instead of environment variables.

Cold Start and Timeout Abuse

Serverless functions have execution time limits and cold start behaviours that create unique denial-of-service and timing attack vectors. Testing evaluates resource limits, concurrency settings, and whether timeout behaviours expose partial state.

Serverless Testing with Penetrify

Penetrify's serverless security testing covers Lambda, Azure Functions, and Cloud Functions with execution role analysis, event source injection testing, secrets management evaluation, and cross-service attack path assessment.