Serverless Security - Attack & Defense

Explore serverless security attack vectors and defense strategies in this 51-minute conference talk from the Hack In The Box Security Conference. Delve into various aspects of serverless application security, focusing on AWS Lambda functions, with insights into Azure and GCP environments. Learn about publishing malicious NPM packages, validation errors in serverless applications, insecure defaults in Serverless framework, and potential Denial of Wallet attacks. Discover techniques for preventing these attacks through numerous demonstrations and practical examples. Gain valuable knowledge from senior security consultant Pawel Rzepa, who shares his expertise in penetration testing, cloud security assessments, and threat analysis.

Intro
Agenda
Lambda
Demo
GCP
Dependency poisoning
Searching for ready to use code
Defense
Denial of wallet
Secrets
Storage Account
Analysis
Attack from Lambda
Dangling resources
Summary