Jump to navigation Jump to content

Speaker

Shivam Dhar

Shivam Dhar

Vice President - Lead Security Engineer @JPMorganChase

Plano, Texas, United States

Actions

With nearly a decade of experience across sectors such as e-commerce, healthcare, gaming, open-source, and cybersecurity, within both large enterprises and agile startups, Shivam brings a creative, solutions-driven approach to complex challenges. Committed to community engagement, he actively mentors early-career cybersecurity professionals, judges prestigious tech awards, peer-reviews academic research, and contributes to tech-for-good initiatives with nonprofit organizations. He currently leads cloud security efforts at JPMorganChase, driving robust solutions to support the firm’s ongoing growth.

Links

Badges

Area of Expertise

  • Finance & Banking

Topics

  • Software Developer
  • Software Engineering
  • cybersecurity
  • Cloud Security
  • Cloud Security Posture Management
  • Microservice Architecture
  • Software Architecture
  • Product Development Life Cycle
  • AWS Serverless
  • Amazon Web Services
  • Data Science & AI
  • Machine Leaning
  • Volunteering
  • Interviewing
  • Resume Building

Sessions

The Serverless Mirage: Navigating Risks in an Invisible Infrastructure

Behind the abstraction lies a misconception, that serverless means "less" responsibility. Spoiler alert - it doesn't! Fast and adaptable, serverless is also dangerously simple to configure incorrectly. In highly dynamic, event-driven Cloud environments, sporadic and fine-grained service integrations introduce unique attack surfaces that traditional security models fail to address.

This technical session dives deep into the tactics, techniques, and procedures (TTPs) adversaries use to exploit serverless applications via new attack vectors, including vulnerable libraries, leaky secrets, wildcard IAM roles, and insecure triggers. It also emphasizes actionable, tried-and-true methods over theory - equipping practitioners with the skills to defend modern serverless stacks while maintaining operational velocity.

The key takeaways from this session include a clear understanding of how serverless risks differ from traditional application threats, especially in areas like ephemeral execution, implicit trust boundaries, and event-driven attack vectors. Lastly, executives and architects will learn how these lines can be inadvertently crossed, exposing data or escalating privileges.

Stay Afloat in the Cloud: Navigating the Serverless Surf

Behind the abstraction lies a misconception, that serverless means "less" responsibility. Spoiler alert - it doesn't! Fast and adaptable, serverless is also dangerously simple to configure incorrectly. In highly dynamic, event-driven Cloud environments, sporadic and fine-grained service integrations introduce unique attack surfaces that traditional security models fail to address.

This technical session dives deep into the tactics, techniques, and procedures (TTPs) adversaries use to exploit serverless applications via new attack vectors, including vulnerable libraries, leaky secrets, wildcard IAM roles, and insecure triggers. It also emphasizes actionable, tried-and-true methods over theory - equipping practitioners with the skills to defend modern serverless stacks while maintaining operational velocity.

This talk is designed for professionals building and securing cloud-native, serverless architectures, where visibility is limited, the blast radius is significant, and assumptions can be risky. We introduce LynxLab: (https://github.com/Shivamdhar/LynxLab), an open-source home lab framework developed by us to simulate realistic attack and defense scenarios in serverless environments, enabling practitioners to better understand and mitigate evolving cloud security threats.

Kraken in the Clouds: A Hands on FaaS Defense Workshop

While serverless abstracts the underlying infrastructure, it doesn’t reduce responsibility. In highly dynamic, event-driven cloud environments, security teams face fast-moving threats that traditional models weren’t designed to handle. Misconfigurations, fuzzy trust boundaries, and insecure integrations create new attack surfaces, including vulnerable libraries, leaky secrets, wildcard IAM roles, and misconfigured triggers.
In this immersive 2-hour workshop, participants will build a cloud lab using serverless components to design and secure an end-to-end AI pipeline with LynxLab. Teams will tackle gamified, challenge-based scenarios, identifying vulnerabilities in each Git branch, mapping them to STRIDE and OWASP serverless categories, and exploring real-world attack paths.
This session emphasizes practical skills over theory. Attendees will learn how ephemeral execution, event-driven chains, and implicit trust boundaries can be exploited, and leave with actionable patterns, checklists, and defensive strategies to secure modern serverless applications without slowing delivery.

## Module 1| Building Your Home Cloud Lab (LynxLab Setup) : 40 mins

Objective: Equip participants with a fully functional cloud-based environment to safely explore serverless attacks and defenses.

Topics Covered:
- Quick primer: why serverless ≠ “less responsibility”
- Overview of LynxLab architecture (serverless components, event triggers, IAM wiring)
- Guided installation and configuration

Hands-On Deliverables:
- Fully deployed personal cloud lab

## Module 2| Gamified Challenges - Hunt the Vulnerability in LynxLab : 30 mins

Objective: Engage teams in interactive, challenge-based discovery of common serverless weaknesses.

Format: Participants are split into teams. Each Git branch represents a distinct misconfiguration or vulnerability pattern. Teams must identify, validate, and document the issue.

Gamification: Points are awarded for identifying vulnerability and we will display a real-time dashboard of scores for each team

Hands-On Deliverables:
- Documented findings per challenge

## Module 3| Deep Dive - Attack & Defense Breakdown (STRIDE + OWASP Serverless Top 10) : 30 mins

Objective: Walk through each challenge in detail, explaining real-world exploitation paths and corresponding defensive strategies.

Discussion Framework:
Each challenge is analyzed through -
- Tactics, Techniques, Procedures (TTPs) used by adversaries
- STRIDE categories (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege)
- Relevant OWASP Top 10 categories (e.g., Serverless A6: Function Permission Misuse, A3: Event Injection)

Deep-Dive Examples:
- Privilege escalation via wildcard IAM → Elevation of Privilege / STRIDE
- Secret leakage in environment variables → Information Disclosure
- Insecure event trigger chaining → Event Injection / Tampering

Defense Patterns:
- IAM least privilege scaffolding
- Event schema validation
- Secret rotation & parameter store usage
- Secure dependency management practices

Hands-On Deliverables:
- Completed attack/defense matrix
- Mapped security controls to each misconfiguration
- Templates and best-practice patterns to reapply at work

## Module 4| Key Takeaways & Ship to Monday Insights : 20 mins

Objective: Synthesize lessons learned into actionable guidance for practitioners, architects, and leaders.

Topics:
- How serverless risks fundamentally differ from traditional application models
- Why ephemeral compute = persistent security concerns
- Understanding invisible trust boundaries and event-driven exploit chains
- Common pitfalls executives and architects overlook
- Operationalizing secure serverless pipelines without slowing delivery

Takeaway Materials:
- Serverless attack/defense cheat sheet
- STRIDE + OWASP serverless mapping guide
- Secure serverless deployment checklist

Breaking Silos, not Systems: Dissecting the Cloud Beast

While serverless abstracts the underlying infrastructure, it doesn’t reduce responsibility. In highly dynamic, event-driven cloud environments, security teams face fast-moving threats that traditional models weren’t designed to handle. Misconfigurations, fuzzy trust boundaries, and insecure integrations create new attack surfaces, including vulnerable libraries, leaky secrets, wildcard IAM roles, and misconfigured triggers.
In this immersive 4-hour workshop, participants will build a cloud lab using serverless components to design and secure an end-to-end AI pipeline with LynxLab. Teams will tackle gamified, challenge-based scenarios, identifying vulnerabilities in each Git branch, mapping them to STRIDE and OWASP serverless categories, and exploring real-world attack paths.
This session emphasizes practical skills over theory. Attendees will learn how ephemeral execution, event-driven chains, and implicit trust boundaries can be exploited, and leave with actionable patterns, checklists, and defensive strategies to secure modern serverless applications without slowing delivery.

Breaking Silos, not Systems: Dissecting the Cloud Beast

While serverless abstracts the underlying infrastructure, it doesn’t reduce responsibility. In highly dynamic, event-driven cloud environments, security teams face fast-moving threats that traditional models weren’t designed to handle. Misconfigurations, fuzzy trust boundaries, and insecure integrations create new attack surfaces, including vulnerable libraries, leaky secrets, wildcard IAM roles, and misconfigured triggers.
In this immersive 4-hour workshop, participants will build a cloud lab using serverless components to design and secure an end-to-end AI pipeline with LynxLab. Teams will tackle gamified, challenge-based scenarios, identifying vulnerabilities in each Git branch, mapping them to STRIDE and OWASP serverless categories, and exploring real-world attack paths.
This session emphasizes practical skills over theory. Attendees will learn how ephemeral execution, event-driven chains, and implicit trust boundaries can be exploited, and leave with actionable patterns, checklists, and defensive strategies to secure modern serverless applications without slowing delivery.

Workshop outline (4 hrs) -

## Module 1| Building Your Home Cloud Lab (LynxLab Setup) : 60 mins

Objective: Equip participants with a fully functional cloud-based environment to safely explore serverless attacks and defenses.

Topics Covered:
- Quick primer: why serverless ≠ “less responsibility”
- Overview of LynxLab architecture (serverless components, event triggers, IAM wiring)
- Guided installation and configuration

Hands-On Deliverables:
- Fully deployed personal cloud lab

## Module 2| Gamified Challenges - Hunt the Vulnerability in LynxLab : 75 mins

Objective: Engage teams in interactive, challenge-based discovery of common serverless weaknesses.

Format: Participants are split into teams. Each Git branch represents a distinct misconfiguration or vulnerability pattern. Teams must identify, validate, and document the issue.

Gamification: Points are awarded for identifying vulnerability and we will display a real-time dashboard of scores for each team

Hands-On Deliverables:
- Documented findings per challenge

## Module 3| Deep Dive - Attack & Defense Breakdown (STRIDE + OWASP Serverless Top 10) : 75 mins

Objective: Walk through each challenge in detail, explaining real-world exploitation paths and corresponding defensive strategies.

Discussion Framework:
Each challenge is analyzed through -
- Tactics, Techniques, Procedures (TTPs) used by adversaries
- STRIDE categories (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege)
- Relevant OWASP Top 10 categories (e.g., Serverless A6: Function Permission Misuse, A3: Event Injection)

Deep-Dive Examples:
- Privilege escalation via wildcard IAM → Elevation of Privilege / STRIDE
- Secret leakage in environment variables → Information Disclosure
- Insecure event trigger chaining → Event Injection / Tampering

Defense Patterns:
- IAM least privilege scaffolding
- Event schema validation
- Secret rotation & parameter store usage
- Secure dependency management practices

Hands-On Deliverables:
- Completed attack/defense matrix
- Mapped security controls to each misconfiguration
- Templates and best-practice patterns to reapply at work

## Module 4| Key Takeaways & Ship to Monday Insights : 30 mins

Objective: Synthesize lessons learned into actionable guidance for practitioners, architects, and leaders.

Topics:
- How serverless risks fundamentally differ from traditional application models
- Why ephemeral compute = persistent security concerns
- Understanding invisible trust boundaries and event-driven exploit chains
- Common pitfalls executives and architects overlook
- Operationalizing secure serverless pipelines without slowing delivery

Takeaway Materials:
- Serverless attack/defense cheat sheet
- STRIDE + OWASP serverless mapping guide
- Secure serverless deployment checklist

Serverless is not a silver bullet - You lose servers, not responsibility!

Behind the abstraction lies a misconception, that serverless means "less" responsibility. Spoiler alert - it doesn't! Fast and adaptable, serverless is also dangerously simple to configure incorrectly. In highly dynamic, event-driven Cloud environments, sporadic and fine-grained service integrations introduce unique attack surfaces that traditional security models fail to address.

This technical session dives deep into the tactics, techniques, and procedures (TTPs) adversaries use to exploit serverless applications via new attack vectors, including vulnerable libraries, leaky secrets, wildcard IAM roles, and insecure triggers. It also emphasizes actionable, tried-and-true methods over theory—equipping practitioners with the skills to defend modern serverless stacks while maintaining operational velocity.

The key takeaways from this session include a clear understanding of how serverless risks differ from traditional application threats, especially in areas like ephemeral execution, implicit trust boundaries, and event-driven attack vectors. Lastly, executives and architects will learn how these lines can be inadvertently crossed, exposing data or escalating privileges.

Guardians of the Cloud: From Stealth to Security at Scale

The rapid scaling of cloud environments by organizations creates increasingly complex and urgent security challenges. This session offers a tactical blueprint for security leaders to transition from reactive defense to proactive cloud security at scale. Attendees will gain actionable insights on implementing secure design patterns, avoiding costly pitfalls, and embedding security into the core of cloud architecture. Emphasizing the power of cross-functional alignment, the session explores how shared frameworks and clearly defined objectives can bridge gaps between the various teams. Given that misconfigurations are responsible for over 60% of cloud breaches, the discussion will underscore the importance of continuous monitoring and robust policy enforcement. Finally, the session will determine how well-defined roles and responsibilities, spanning internal teams and cloud providers, are required to fuel accountability, operational clarity, and long-term resiliency in cloud security efforts.

***********************************************

The session can be from 20 - 35 mins long, below is the outline as per 20 min plan:
1. Introduction & Objective Setting (2 minutes)
* Brief overview of public cloud adoption trends and security challenges
* Set session objectives: lifecycle view of secure cloud usage, key building blocks, and actionable best practices
2. Lifecycle of Cloud Service Integration (3 minutes)
* Steps to onboard a new cloud service into firm-wide inventory
* Importance of early threat modeling and risk assessment
* Visual: Lifecycle diagram showing service onboarding to deployment
3. Implementing Core Security Controls (4 minutes)
* Overview of preventative, detective, and remediative controls
* Touchpoints on CSPM (Cloud Security Posture Management), CDR (Cloud Detection & Response), etc.
* Controls required before a service can be used (e.g., IAM, encryption, network boundaries)
* Visual: Control matrix across phases
4. Building Continuous Risk Reporting Pipelines (3 minutes)
* Designing pipelines for automated checks and risk scoring
* Tools and integrations for ongoing monitoring
* Visual: Architecture of a risk reporting pipeline
5. Cloud Governance & Stakeholder Responsibilities (4 minutes)
* Key governance principles: ownership, oversight, accountability
* Roles of Security, DevOps, Compliance, Product Teams, and Cloud Providers
* Visual: RACI matrix or stakeholder map
* Common challenges: role confusion, communication gaps
6. Compliance & Regulatory Integration (2 minutes)
* Building in regulatory procedures (e.g., audit readiness, logs, data sovereignty)
* Ensuring controls meet internal and external compliance standards
* Brief mention of frameworks (e.g., NIST, ISO 27001)
7. Secure Distribution & Usage of Cloud Services (1 minute)
* Best practices for distributing firm-approved cloud services
* Importance of using sanctioned channels and standard images/templates
8. Final Takeaways & Best Practices (1 minute)
* Recap of key best practices and pitfalls to avoid
* Encourage the audience to assess their cloud governance maturity

Shivam Dhar

Vice President - Lead Security Engineer @JPMorganChase

Plano, Texas, United States

Links

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top