Serverless Security: Attackers & Defenders |
Abstract
In serverless, the cloud provider is responsible for securing the underlying infrastructure, from the data centers all the way up to the container and runtime environment. This relieves much of the security burden from the application owner, however it also poses many unique challenges when it comes to securing the application layer. In this presentation, we will discuss the most critical challenges related to securing serverless applications - from development to deployment. We will also walk through a live demo of a realistic serverless application that contains several common vulnerabilities, and see how they can be exploited by attackers, and how to secure them. I will also use examples from a recent story we published at Dark-Reading, on how we hacked a real world serverless application for bounty, and won. |