OWASP Serverless Top 10

Presented at Global AppSec - DC 2019, Sept. 13, 2019, 10:30 a.m. (45 minutes)

In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand. In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security.

Presenters:

• Tal Melamed - Protego Labs
  In the past year, Tal Melamed been experimenting in offensive and defensive security for the serverless technology, as part of his role as Head of Security Research at Protego Labs. Specializing in AppSec, he has more than 15 years of experience in security research and vulnerability assessment, previously working for leading security organizations such as Synack, AppSec Labs, CheckPoint, and RSA. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects.

Links:

• https://globalappsecdc2019.sched.com/event/Ur6E/owasp-serverless-top-10

Similar Presentations:

• AppSec USA 2016 / Serverless Security: Doing Security in 100 milliseconds
• SAINTCON 2019 / Serverless Security 101
• DerbyCon 9.0 Finish Line (2019) / Full Steam Ahead: Serverless Hacking 101