BSidesBCN21 - Does Serverless Means Harmless? (Tal Melamed)

BSidesBCN21 - Day 2 - Park Güell Track Does Serverless Means Harmless? (Tal Melamed) When adopting serverless technology, we eliminate the need to develop a server to manage our application and by doing so, we also pass some of the security threats to the infrastructure provider. However, serverless functions, even without provisioning or managing servers, still execute code. If this code is written in an insecure manner, it can still be vulnerable to traditional application-level attacks. In this talk, we will examine the differences in attack vectors, security weaknesses, and the business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. As we will see, attack vectors and prevention techniques are completely different from the traditional application world. About Tal Melamed With over 15 years’ experience in security research and engineering - Tal possesses an unprecedented understanding of the Application and Serverless Security landscape. Most recently Tal co-founded CloudEssence, a cloud-native security technology company that enables organisations to extend security observability to applications developed in cloud-native architectures. CloudEssence was acquired by Contrast Security in 2021. Previous to CloudEssence, Tal was head of security research at Protego Labs, a Serverless security start-up that was acquired by Check Point. Tal currently leads Contrast Security’s new innovation centre in Israel and teaches at the cybersecurity master’s program at Quinnipiac University. He is also an AWS Community builder and an OWASP leader, where he evangelizes serverless security to the community, leads several Open-Source projects including OWASP Serverless Security Top 10 and DVSA (an insecure-by-design serverless app for training purposes) and trains hundreds of developers and security teams around the world.