Event Injections: Sending Evil to the Cloud

Thanks to the BSides CT Organizers, volunteers, sponsors, and attendees. Thank you Irongeek for coming out to film, and his video crew volunteers Greg Jurman, Spencer Smalley, Steven Swabby and Daniel Robels. http://www.irongeek.com/ https://www.bsidesct.org/ Serverless applications have seen a significant rise in adoption in the past year. Along with its advantages, serverless architecture presents new security challenges. Some of these security threats are equal to those we know from traditional application development and some take a new form. One particular example is the Injection attacks. Yes, SQL/NoSQL, OS and Code Injection attacks, they all still exist. But, when dealing with a monolithic application we only have one way in. What happens when we move to serverless architecture and we lose the perimeter? code is no longer executed directly, but is executed through cloud events. Whether it’s a file upload, an email sent, a notification received or a simple log entry. In this talk, I will examine the Serverless #1 risk: Event Injection and will demonstrate injection attacks form multiple event types. In the past year, Tal been experimenting in offensive and defensive security for the serverless technology, as part of his role as Head of Security Research at Protego Labs. Specializing in AppSec, he has more than 15 years of experience in security research and vulnerability assessment, previously working for leading security organizations such as Synack, AppSec Labs, CheckPoint, and RSA. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects.