Modern software-as-a-service (SaaS) companies have a large footprint and a lot of automation which enables them to build their service quickly. However, because many devops and cloud tools and processes are new, many companies don’t understand the risks and don’t plan with security in mind. Even some practiced network pentesters don’t always know the best way to find vulnerabilities in these complex cloud-based systems.
This talk is an introduction to pentesting these companies and is focused on giving attendees a breadth of knowledge on the new tech – like microservices, serverless computing, configuration management, and containers – that modern SaaS companies are using. You’ll learn how to attack them and pivot towards high value targets or how to defend yourself against these attacks and how to monitor for breaches. A new remote access tool for AWS will be released to control AWS accounts with a minimum chance of observation.