Pawel is a senior security consultant in SecuRing. On his daily basis he is responsible for performing penetration tests and cloud security assessments. He has a wide experience in security field gained inter alia, as a fuzzer developer in Spirent, pentester in EY GSS, security auditor in Credit Agricole or threat analyst in IBM SOC. His skills are proven by gaining OSCP, eMAPT, AWS SAA and AWS CSS certificates. Pawel actively supports OWASP community as a one of top contributors in OWASP MSTG project and by arranging local OWASP chapter meetings in Wroclaw.
AWS Lambda Security: Attack & Defense
In the last decades a web server environment has evolved, starting from physical servers, going through virtual machines and containers until most recent serverless computing. With many obvious benefits of serverless computing, some drawbacks came too, including security issues.
Following the in-depth research on AWS security, Pawel dug into serverless computing with some good results. In this presentation, expect:
* my findings on publishing malicious NPM packages to smuggle malicious code into legitimately looking dependences
* examples of validation errors in serverless applications, including event injection and Denial of Wallet attacks in open source projects
* privilege escalation and taking control over the whole AWS environment using RCE in a fugacious, serverless environment
* insecure default settings of common serverless frameworks
* how to prevent those attacks
* how to detect such attacks using native AWS monitoring services
* lots of demos
* lots of fun 🙂
The goal of this presentation is not only to raise awareness about security risks, but also to share security best practices when developing serverless applications as well as to give practical hints on how to harden the AWS environment and minimize the impact of such attacks.