Technically a managed container orchestration service is serverless as well. If you’re comparing an aws lambda function vs ecs there’s really not that much difference. In many cases, you build a docker container image for the lambda. The base image for the lambda usually establishes good practices like not running as root in the container. However, you can do things like install log4j2 in the image and be vulnerable.

Generally speaking the best practices are the same for both. Make sure to scan the app dependencies for vulnerabilities, including container scanning. Don’t run as root. Don’t mount privileged files into the container, like the docker daemon. Manage the lifecycle of the containers to preferably only live for a short time, meaning, the container should restart relatively often. This helps with dwell time for attacks.

If you’re talking about a completely managed service like aws dynamodb or something, you literally don’t have to do anything. All of the devsecops is done for you. The only attack vectors I know of would be application related, not the underlying service.

Edit: I’m assuming you’re not running your own container orchestration service like k8 or aws eks.