OWASP Toronto - July Event - Serverless OWASP Top 10

TALK

Serverless OWASP Top 10

Summary:

When adopting serverless technology, we eliminate the need to develop a server to manage our application and by doing so, we also pass some of the security threats to the infrastructure provider. However, serverless functions, even without provisioning or managing servers, still execute code. If this code is written in an insecure manner, it can still be vulnerable to traditional application-level attacks.

The OWASP Serverless Top 10 project recently launched. In this talk, I will examine how the original Top 10 stack up for serverless apps. In particular, we’ll examine the differences in attack vectors, security weaknesses, and the business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. As we will see, attack vectors and prevention techniques are completely different from the traditional application world.

Presenter:

Paolo Spagli

Paolo Spagli is Senior Security Researcher for Cloud-Native technologies at Contrast Security. In this role he is committed to help development teams shipping secure applications in the cloud. Prior to Contrast, he was a Cloud Security Lead Architect at Baker Hughes. Paolo has over 15 years of experience in many fields including web development, software architecture, cloud technologies, security architecture, application security, DevSecOps.