Abstract -

Behind the abstraction lies a misconception, that serverless means "less" responsibility. Spoiler alert - it doesn't! Fast and adaptable, serverless is also dangerously simple to configure incorrectly. In highly dynamic, event-driven Cloud environments, sporadic and fine-grained service integrations introduce unique attack surfaces that traditional security models fail to address.

This technical session dives deep into the tactics, techniques, and procedures (TTPs) adversaries use to exploit serverless applications via new attack vectors, including vulnerable libraries, leaky secrets, wildcard IAM roles, and insecure triggers. It also emphasizes actionable, tried-and-true methods over theory—equipping practitioners with the skills to defend modern serverless stacks while maintaining operational velocity.

The key takeaways from this session include a clear understanding of how serverless risks differ from traditional application threats, especially in areas like ephemeral execution, implicit trust boundaries, and event-driven attack vectors. Lastly, executives and architects will learn how these lines can be inadvertently crossed, exposing data or escalating privileges.

--------------------------------------------

## Session outline (based on 25 mins content + 5 mins Q&A, and this can be extended to 45 mins based on available slot)

This talk is for those building and securing cloud-native serverless architectures, where visibility is low, the blast radius is high, and assumptions are often dangerous.

### Opening & context (2 mins)

- Quick introduction: Who this talk is for (devs, cloud architects, security engineers, security enthusiasts)
- Serverless ≠ Secure-by-default
- Shared Responsibility Model: What you still own!

### Understanding the Serverless Attack Surface (5 mins)

- How event-driven & ephemeral environments change the game
- Key risk areas:
- Misconfigured IAM roles
- Insecure event triggers
- Unvetted/unverified third-party dependencies and their associated vulnerabilities
- Contrast with traditional app security models

### Real-World Exploitable Scenarios (10 mins)

Example 1: Overly Permissive IAM Roles

- s3:*, iam:* - attacker escalation path
- Use AWS Access Analyzer to spot problems
- Principle of least privilege in practice

Example 2: Event Injection via API Gateway

- Malicious payload through Lambda trigger
- Dangers of implicit trust, no validation
- Defense: pydantic library, strict content types, etc.

Example 3: Vulnerable Dependencies

- Popular Python package → known CVE
- Use SCA/SBOM tools, dependency pinning, and scanning

### Case Study: Securing AI Workflows with Serverless (5 mins)

- Real example: securing a serverless AI data pipeline
- How trust boundaries, event validation, and IAM separation protected data and models
- Lessons learned that apply broadly

### Closing & Key Takeaways (3 mins)

- Serverless accelerates delivery, but increases blast radius if misconfigured
- Trust boundaries matter - validate inputs, isolate events
- Least privilege, observability, and guardrails are your safety net
- Final message: You lost the server, not the responsibility.