Defending serverless applications through attack mechanisms
Serverless Technology is rapidly becoming the next “big thing” in the world of distributed applications. Function-As-A-Service(FaaS) makes deployments and operations very simple for developers helping them ship applications at a faster rate. Organizations are investing plenty of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all.
However, like everything else, Serverless technology is subject to a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.
We aim this course at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use serverless technology and services and applications that leverage serverless tech, as part of their architecture and want to get a good understanding on how to attack and secure them. The attendees will also understand the nature of the much larger attack surface that the attendees with the help of hands-on exercises.
Understanding Serverless and FAAS(Function-As-A-Service)
Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options
Introduction to the Architecture of Serverless Deployments
Hands-on: Deploying a Serverless application
Function Data Event Injection Attacks against FaaS Implementations:
Remote-Code Execution Attacks against Serverless Apps
Extracting Secrets from FaaS Implementations
Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion Attacks
Exploiting Function Execution Order for fun and profit!
Identity and Access Management
Securing Serverless deployments with locked down IAM privileges
Auditing Serverless Applications for weak access control implementations
Security Logging and Tracing for Serverless Functions
Serverless Vulnerability Assessment
CI/CD for Serverless Functions - With Security specific pipeline
Our Application Security and Cloud Security programs is a regular feature at marquee application security conferences across the world.
Who is this training beneficial to?
This training is aimed at both development and security teams who want to securely implement serverless tech. The training will help attendees gain the necessary offensive knowledge like the multiple attack vectors and attack surface which can help them secure their applications from such attacks
How is security for a serverless application different from any other application?
The attack surface in a serverless implementation is extremely large because of multiple event based functionalities that can be performed that are not necessarily http driven. This can involve functions that use internal services and can easily compromise them as well.
Are there any takeaways from this program specific to security engineers?
Application development is moving from monolithic design to micro-service style architecture. Most security engineers don't have the necessary exposure to such technologies that can enable them to test applications built using them from a security standpoint. This program aims to address this shortcoming.
Going Serverless merely reduces the security burden shouldered by the developer and doesn’t negate it. Learn about security risks specific to serverless deployments in this article.
In this webinar, Abhay Bhargav (we45’s founder and CEO) will demonstrate both defensive and offensive techniques for securing serverless deployments.
DVFaaS(Damn Vulnerable Function as a Service) is we45’s open source intentionally vulnerable serverless function for practitioners to deploy and pwn!