Server-Less-Security_4 (1)

Training Overview

Serverless Technology is rapidly becoming the next "big thing" in the world of distributed applications. Function-As-A-Service(FaaS) makes deployments and operations very simple for developers helping them ship applications at a faster rate. Organizations are investing plenty of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. 

However, like everything else, Serverless technology is subject to a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.


Course Objectives

This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use serverless technology as part of their architecture and want to get a good understanding on how to attack and secure them. Also, Services and applications that leverage serverless tech often have a much larger attack surface that the attendees will understand with the help of hands-on exercises.

we45 - An AppSec Training Leader

Our serverless security training is a regular feature at marquee application security conferences across the world. Below is a snapshot of past and future trainings undertaken by we45.
we45 training at SHACK 2019
we45 training AppSec USA 2018

Frequently Asked Questions

Who is this training beneficial to?

This training is aimed at both development and security teams who want to securely implement serverless tech. The training will help attendees gain the necessary offensive knowledge like the multiple attack vectors and attack surface which can help them secure their applications from such attacks

How is security for a serverless application different from any other application?

The attack surface in a serverless implementation is extremely large because of multiple event based functionalities that can be performed that are not necessarily http driven. This can involve functions that use internal services and can easily compromise them as well.

Are there any takeaways from this program specific to security engineers?

Application development is moving from monolithic design to micro-service style architecture. Most security engineers don't have the necessary exposure to such technologies that can enable them to test applications built using them from a security standpoint. This program aims to address this shortcoming.

Contact Us For a Detailed Course Agenda

Additional Resources

Top 10 security risks with Serverless Tech

Top 10 Security Risks in Serverless

 Going Serverless merely reduces the security burden shouldered by the developer and doesn't negate it. Learn about security risks specific to serverless deployments in this article.

Practical Serverless Security(1)

we45 Webinar

 In this webinar, Abhay Bhargav (we45's founder and CEO) will demonstrate both defensive and offensive techniques for securing serverless deployments.

we45 DVFaaS

Open Source Project: DVFaaS

DVFaaS(Damn Vulnerable Function as a Service) is we45's open source intentionally vulnerable serverless function for practitioners to deploy and pwn!