Amazon Web Services (AWS) and other cloud services are billed as an amazingly secure and resilient cloud services provider, but what is the reality? Once you look past that pristine environment and the manicured forests and start to build on top of it you’ll find yourself very quickly in a dark jungle of your own creation.
With concrete examples this presentation will explore “full stack” vulnerabilities and their effect on security and how they create new pitfalls when migrating to and operating in a Cloud world. From the simple (checking in your Cloud credentials to github or embedding them in your app) the unexpected (XXE injection to expose Cloud metadata), to the unintended (data leakage and service exposure and 3rd party cloud management services). Many examples will be shared along side new techniques showing how easy it is to expose your applications and infrastructure to attack through misunderstanding, ignorance or bad actors.
To address these challenges this presentation will also demonstrate a free tool we have designed to assess full stack AWS applications, map out the interactions between infrastructure and code and help individuals and organizations get clarity and bring a machete to the Amazon Cloud.
Erik Peterson is the Director of Technology Strategy for Veracode with 17 years of security industry experience, including senior leadership and technology roles for HP, SPI Dynamics, GuardedNet and Sanctum. Erik has also held InfoSec roles at Moody’s and SunTrust Bank and IT roles for the U.S. Embassy in Vienna, Austria and the UN IAEA. Erik has spoken at numerous events including Blackhat Europe, RSA, Security BSides, OWASP, AppSec USA, ISSA, and InfraGard and is a member of the Cloud Security Alliance