Learning Path: AWS Security

Attacking AWS Serverless Applications

Serverless applications function very differently from traditional ones, both when it comes to operation and the security measures they employ. The fact that serverless apps are structured as numerous small functions creates new opportunities for intruders to exploit the greater attack surface. This course will take both Red and Blue Team approaches to serverless security so you’ll learn not just how to passively protect apps, but actively use attackers’ strategies against them.

We begin with a look at the top 10 vulnerabilities in serverless architectures, similar to the OWASP Top 10. In the Red Team section, you’ll learn how to exploit insecure applications using many of the most severe flaws present in serverless. The Blue Team approach will have us going through methods of securing serverless applications, including identity and access management, secrets management, and logging and monitoring functions. Finally, we’ll explore serverless vulnerability assessment for SAST, DAST and SCA, as well as CI/CD for serverless functions.

Every individual section in this course features extensive hands-on labs to showcase real-world scenarios and get you to practically try out everything you learn. Our material is a distillation of years of security testing experience, knowledge, and original research across our entire team. Once you’ve completed this course, you’ll be able to take what you’ve learned here and implement it directly in a modern serverless stack.

Proficiency: Intermediate
Audience: Cloud Security
Course Duration: 4 hours
22 lessons
2 Cloud Labs

Course Outline

  • Course Introduction
  • Course Pre-requisites
  • A Move to Serverless
  • BaaS and FaaS – Serverless
  • AWS Lambda
  • Security Challenges with FaaS
  • Pillaging Serverless Apps
  • Function-Data Event Injection
  • Function Data Event Injection – Explaining the Example
  • ReDOS Explanation
  • ReDOS Demo