[johnbillow]

So you yourself are only discussing HTTP. What about other types of serverless event triggers? do you know how to protect against injections in SNS? or what happens when you inject malicious input into data coming from S3? So yes, app security is app security, but there are nuances and pitfalls that are serverless specific...

[mi100hael]

You do realize that plenty of applications were handling events and files "serverless" was even a thing, right? Even in a cloud context, SNS and S3 long pre-date Lambda. Neither of those "pitfalls" are serverless specific.

In fact, Lambdas (and every other serverless platform I'm aware of) execute with the same isolation as EC2 instances in AWS. There are effectively no differences security-wise between code executing on an EC2 and code executing in Lambda. Any vulnerability in a Lambda function is also going to be a vulnerability in a traditional application hosted on EC2 and vice versa.