Bringing a Machete to the Amazon

Presented at AppSec USA 2014, Sept. 19, 2014, 9:30 a.m. (45 minutes).

Amazon Web Services (AWS) is billed as an amazingly secure and resilient cloud services provider, but what is the reality once you look past that pristine environment and the manicured forests give way to dark jungle as you start to migrate existing applications to the AWS Cloud or design new ones for AWS exclusively?

With concrete examples and new techniques this presentation will explore "full stack" vulnerabilities and their effect on security and how they create new pitfalls when migrating to and operating in an AWS world. From the simple (checking in your AWS credentials to github or embedding them in your app) the unexpected (XXE injection to expose AWS metadata), to the unintended (data leakage and service exposure to other AWS customers and 3rd party cloud management services). Many examples will be shared along side new techniques showing how easy it is to expose your applications and infrastructure to attack through misunderstanding, ignorance or bad actors.

To address these challenges this presentation will also reveal and demonstrate a free tool we have designed to assess full stack AWS applications, map out the interactions between infrastructure and code and help individuals and organizations get clarity and bring a machete to the Amazon Cloud.


Presenters:

  • Erik Peterson - Director of Technology Strategy - Veracode
    Erik Peterson is the Director of Technology Strategy for Veracode with 17 years of security industry experience, including senior leadership and technology roles for HP, SPI Dynamics, GuardedNet and Sanctum. Erik has also held InfoSec roles at Moody's and SunTrust Bank and IT roles for the U.S. Embassy in Vienna, Austria and the UN IAEA. Erik has spoken at numerous events including Security BSides, OWASP, ISSA, InfraGard and ISACA and the Cloud Security Alliance https://www.brighttalk.com/webcast/7651/44299

Links:

Similar Presentations: