OWASP Atlanta Chapter

Identity and access management in the cloud remains the most fertile ground for high-value exploitations. So why is it still the least understood part of AWS? For starters, the way RBAC was implemented in the public cloud created a series of unintended consequences (role proliferation, etc) that confound security. Add to that how confusing the interconnecting IAM policy logic tree is. Then consider most are trying to understand ‘identity’ in the cloud as something akin to human credentials… when it’s far from that. Add it all together, and you have the beautiful mess we’re trying to manage today.

Jeff Moncrief’s been puzzling through the how and why of cloud IAM for the past few years. He found the best way to learn IAM is to just break it. Join Jeff as he deploys his ‘IAM walker’ script and shows the holes in a typical AWS environment, moves laterally from a typically ec2 exploit, abuses privilege escalation, steals data, and exfiltrates successfully without detection. Along the way, he’ll discuss:

• Why we misunderstand the purpose of IAM in AWS
• Rethinking IAM responsibilities of devs vs. security without breaking workloads
• Different control points in AWS, like implementing service-level security and designating ‘sensitive permissions’

AI is the ultimate accelerant for application development - its power unmatched - but without balance and control, it can quickly ignite new risks, turning potential into destruction. Explore the tangible impact of AI-generated code in this session buy playing with fire - Using GPT-driven prompts, we'll build a fully functional application, and in real time, we'll uncover how common security flaws like SQL injection, cross-site scripting, and weak authentication can manifest in AI-generated code.

Through hands-on exploration, we'll walk through the potential impact of these vulnerabilities and how these risks could be avoided with secure coding practices, defined policies, developer guardrails, and thorough security audits and code review.

By the end of the session, you'll have a deep understanding of how to:

• Recognize and assess the risks AI introduces in your code.
• Implement secure coding practices and enforce security policies.
• Integrate security audits, code reviews, and testing into your development workflow to ensure AI-generated code is safe for production.

This session is vendor agnostic and designed to empower you to reap the benefits of AI without sacrificing security.