Tal Melamed
Head of Cloud Native Security Research, Contrast Security
Florence, Italy
With more than 15 years' experience in Application and Serverless Security, Tal recently co-founded CloudEssence, a cloud-native Application Security company that was acquired by Contrast Security in 2020, where he now leads the new innovation centre in Israel. Previous to CloudEssence, Tal headed the security research at Protego Labs, a Serverless security startup that was acquired by Check Point. To follow his moto "security through education" ,Tal trains hundreds of developers and security teams around the world while also serving as an AWS Community builder, an Open-Source projects leader and a professor at the cybersecurity master's program at Quinnipiac University.
Area of Expertise
Topics
Automatic serverless security testing: Delivering secure apps continuously
Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.
How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.
Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionless way of testing serverless applications automatically—with no scripts, no tests, and no delays.
Automatic serverless security testing: Delivering secure apps continuously
Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a security disaster.
How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.
Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionless way of testing serverless applications automatically—with no scripts, no tests, and no delays.
Automated serverless security testing: Delivering secure apps continuously
Serverless technology is used by more and more organizations that have moved to the cloud because it enables them to concentrate on their business without the need to provision servers or have predefined budgets. This frees up developers to concentrate on building logic and producing value quickly. But even without provisioning servers, cloud functions still execute code.
Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times. How can developers ensure that their code is secure enough? In many organizations, the application security team struggles to keep up with the speed of development in a serverless environment.
In this talk, we will shed light on common risks in serverless environments and how we can fill the security gaps, in the speed of DevSecOps.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top