Remote Training (Dec 7-8) : DevSecOps Masterclass 2020 Discoverer Edition Register Now

Serverless Security

Defending serverless applications through attack mechanisms

Training Objective and Course Overview

Serverless Technology is rapidly becoming the next “big thing” in the world of distributed applications. Function-As-A-Service(FaaS) makes deployments and operations very simple for developers helping them ship applications at a faster rate. Organizations are investing plenty of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all.

However, like everything else, Serverless technology is subject to a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.

What attendees will learn?

We aim this course at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use serverless technology and services and applications that leverage serverless tech, as part of their architecture and want to get a good understanding on how to attack and secure them. The attendees will also understand the nature of the much larger attack surface that the attendees with the help of hands-on exercises.

Course Agenda

  • Understanding Serverless and FAAS(Function-As-A-Service)

  • Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)

  • Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options

  • Introduction to the Architecture of Serverless Deployments

  • Hands-on: Deploying a Serverless application


  • Function Data Event Injection Attacks against FaaS Implementations:

  • Remote-Code Execution Attacks against Serverless Apps


  • Attacking Broken Access Control in Serverless Applications
  • Attacking Identity and Access Management through Serverless Implementations
  • Extracting Secrets from FaaS Implementations

  • Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion Attacks

  • Exploiting Function Execution Order for fun and profit!

  • Identity and Access Management

  • Securing Serverless deployments with locked down IAM privileges

  • Auditing Serverless Applications for weak access control implementations

  • Applied Key Management with Amazon Key Management System (KMS)
  • Leveraging AWS Secrets Manager for Key:Value Secrets
  • Integrating Secrets Management with Serverless Applications
  • Security Logging and Tracing for Serverless Functions

  • Serverless Vulnerability Assessment

  • CI/CD for Serverless Functions - With Security specific pipeline

  • Intro to Secrets Management - A Case for a structured approach to managing secrets
  • Secrets vs Sensitive Information - A Distinction and varied Threat Model
  • Secret Management Fails
  • Centralization of Secrets
  • Access Control Management to Secrets
  • Dynamic Secrets
  • Encryption at rest and in transit
  • Auditability of secrets management
  • Introduction to HashiCorp Vault and its API
  • Deploying Vault in Prod
  • Managing Secrets with Vault => Key-Value Secrets
  • Encryption, Key Rotation and Rewrapping with Vault Transit Secrets Engine
  • Dynamic Secrets with Vault => Using Dynamic Secrets for short-term leases for databases
  • Authentication and Access Control Management to Vault
  • Vault Audit Capabilities
  • Vault Seal/Unseal concepts

Conference Features

Our Application Security and Cloud Security programs is a regular feature at marquee application security conferences across the world.

Frequently Asked Questions

Who is this training beneficial to?

This training is aimed at both development and security teams who want to securely implement serverless tech. The training will help attendees gain the necessary offensive knowledge like the multiple attack vectors and attack surface which can help them secure their applications from such attacks

How is security for a serverless application different from any other application?

The attack surface in a serverless implementation is extremely large because of multiple event based functionalities that can be performed that are not necessarily http driven. This can involve functions that use internal services and can easily compromise them as well.

Are there any takeaways from this program specific to security engineers?

Application development is moving from monolithic design to micro-service style architecture. Most security engineers don't have the necessary exposure to such technologies that can enable them to test applications built using them from a security standpoint. This program aims to address this shortcoming.

Dates Coming Soon !

Serverless Security

2 Days
(3 Hours per day)


Dates Coming Soon ! 
Get Notified

Would you rather have a private training conducted for your team? Enter your details here

    By checking this box you agree to receive communication on we45's events, product or solution offerings by email to your contact information.

    You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

    By clicking submit below, you consent to allow we45 to store and process your personal data to provide you the requested information.

    Additional Resources

    Top 10 Security Risks in Serverless

    Going Serverless merely reduces the security burden shouldered by the developer and doesn’t negate it. Learn about security risks specific to serverless deployments in this article.

    we45 Webinar

     In this webinar, Abhay Bhargav (we45’s founder and CEO) will demonstrate both defensive and offensive techniques for securing serverless deployments.

    Open Source Project: DVFaaS

    DVFaaS(Damn Vulnerable Function as a Service) is we45’s open source intentionally vulnerable serverless function for practitioners to deploy and pwn!