xorl %eax, %eax

BSides Cyprus: Cloud… Just somebody else’s computer

leave a comment »

Just noticed that I haven’t published much for the last few talks I’ve been giving and this is one of them…

That was my 8th, and last, talk for 2021. It was a research more on the cloud security architect/engineering side. That was my second time participating in BSides Cyprus, and as always, it was an amazing event with amazing people. The organizers of BSides Cyprus did a remarkable job. From the set up of the remote event, to the CTF, the prizes for the CTF participants, and the overall atmosphere, it was an excellent event.

Now specifically on my talk, that was a subject that I was preparing for around a year and I’m glad I got to talk about it in BSides Cyprus. For various reasons, public cloud providers are intentionally abstracting lots of the plumbing on how everything is put together and how does this affect security.

So, in this talk I picked up a few services from AWS, GCP, and Azure and dissected them to demonstrate that:

  • It’s just computers and software under the hood
  • How having this “inner” architectural understanding helps you uncover vulnerabilities (using some publicly available ones in the examples, no 0days or embargoed issues revealed)

My goal with this talk wasn’t to uncover some significant design flaw or claim that public cloud is bad. Just to raise awareness and change the mindset of security engineers when working with public cloud to think beyond what the vendor’s documentation says. If you’d like to have a look, you can find my slides here.

Written by xorl

December 22, 2022 at 13:32

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: