We are seeing more and more organizations leverage the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.

Our research team took on the challenge of implementing the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon's Lambda as the first test subject, we were able to build a PoC which showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome? The findings will be presented in our session along with best practices and tips for ensuring security prevails in a serverless environment.

Those who will join this talk will:

- Understand the architecture and advantages of a serverless computing environment

- Learn the security challenges entailed in working in a serverless environment

- View a live demo on how data is infiltrated, infected, and exfiltrated in a serverless environment

- See how we built self-duplicating attacks that survive persistently within the code

- Watch as the attack is executed on platforms running on serverless environments
Speakers
avatar for Erez Yalon
Erez Yalon
AppSec Research Group Manager, Checkmarx

-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...