Introduction
Serverless applications have become popular amongst developers due to benefits like better scalability, flexibility, time efficiency, and reduced costs. However, with every technology or framework, awareness of the components involved is essential to ensure that the implementation is as optimised, reliable, and secure as possible.
This tech talk has been presented by Alexandre & Leonardo. Alexandre Sieira is a successful information security entrepreneur and has presented at various security conferences like Black Hat, DEF CON Cloud Village, BSides San Francisco, FIRST conference, etc. Leonardo Viveiros is a software engineer, with experience in building cloud native solutions and front-end applications and is currently working as a DevSecOps specialist.
This video is part of the tech talks presented at Cloud Village. Cloud Village is an open space dedicated for people interested in cloud security and conducts various activities like talks, workshops, CTFs, and discussions around cloud.
What to expect from this video
Following topics have been covered in this video:
- Introduction to serverless application security issues in AWS
- Why should you care
- API Gateway overview
- Lambda Authorizers overview
- Lambda Authorizers policy document
- Security issue with the usage of ”*” in policy documents
Video
https://www.youtube.com/watch?v=bsPKk7WDOnE
Key Takeaways
Deploying serverless applications on the cloud is easier and faster than ever. AWS also allows users to build and scale serverless applications, however, there are some security concerns due to the way API Gateway Lambda Authorizers policy documents work.
This video introduces you to basic concepts of API Gateway and Lambda Authorizers - services that are often used when working with serverless architectures. The speakers give a walkthrough of how policy documents for Lambda Authorizers function and how the usage of ” * ” in it can cause unintended behaviour, raising security concerns. This is an interesting tech talk where useful examples have been demonstrated to understand the security issue at hand better and why one must make a conscious decision when making use of ” * ” in the policy documents.
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.