However, like everything else, Serverless technology is subject to a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.
This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use serverless technology as part of their architecture and want to get a good understanding on how to attack and secure them. Also, Services and applications that leverage serverless tech often have a much larger attack surface that the attendees will understand with the help of hands-on exercises.
Who is this training beneficial to?
This training is aimed at both development and security teams who want to securely implement serverless tech. The training will help attendees gain the necessary offensive knowledge like the multiple attack vectors and attack surface which can help them secure their applications from such attacks
How is security for a serverless application different from any other application?
The attack surface in a serverless implementation is extremely large because of multiple event based functionalities that can be performed that are not necessarily http driven. This can involve functions that use internal services and can easily compromise them as well.
Are there any takeaways from this program specific to security engineers?
Application development is moving from monolithic design to micro-service style architecture. Most security engineers don't have the necessary exposure to such technologies that can enable them to test applications built using them from a security standpoint. This program aims to address this shortcoming.
Going Serverless merely reduces the security burden shouldered by the developer and doesn't negate it. Learn about security risks specific to serverless deployments in this article.
In this webinar, Abhay Bhargav (we45's founder and CEO) will demonstrate both defensive and offensive techniques for securing serverless deployments.
DVFaaS(Damn Vulnerable Function as a Service) is we45's open source intentionally vulnerable serverless function for practitioners to deploy and pwn!