About 60% of the world's cloud infrastructure is shared between AWS, Azure, and GCP. More and more organizations are moving their infrastructure to the cloud with the promise of scalability, robustness, higher resource bandwidth for far less, ease of use, and security.
With this shift, there is an ever-increasing demand for cloud security professionals to be able to securely design, implement, defend, attack, and repair cloud configurations and services. A lot of enterprises operate entirely on the cloud and with everyone learning to work remotely, there are additional challenges that come into play when dealing with security.
The current state of the industry creates a need for security testers, Cloud/IT admins, and people tasked with the role of DevSecOps to learn - how to effectively attack and test their cloud infrastructure before the bad guys. Security vendors need to hire folks who specialize in conducting cloud penetration tests and configuration reviews all the while expanding in scope and services.
In this Post Pandemic version of tools and techniques-based training, we will cover attack approaches, create your attack arsenal in the cloud, and distilled deep dive into AWS and Google Cloud services and concepts that should be used for security. Attacks on the Azure cloud will be mentioned when similar attack scenarios are being covered for AWS and Google Cloud.
The training covers a multitude of scenarios taken from our vulnerability assessment, penetration testing, and OSINT engagements which take the student through the journey of discovery, identification, and exploitation of security weaknesses, misconfiguration, and poor programming practices that can lead to complete compromise of the cloud infrastructure.
The training is meant to be hands-on training with guided walkthroughs, scenario-based attacks, and coverage of tools that can be used for attacking and auditing. Due to the attack, and focused nature of the training, we will not be spending a lot of time on security architecture, defense-in-depth, etc. While mitigations will be covered, we will point out the relevant security documentation provided by the cloud provider for further self-study.
We expect the trainees to bring their own AWS and Google Cloud account for the training. We will be providing detailed instructions on how to ensure that you are ready to tackle the class before you arrive for it.
Training level: Intermediate
Day 1 (Cloud Compute, Serverless, Load Balancers, and Kubernetes)
Day 2 (Cloud Storage, Cloud Databases, and IAM)
Day 3 (OSINT, Cloud Networking, Security tools, CTF)
Riyaz Walikar loves to break things for fun and profit. He is the Chief Hacker and Co-Founder at Kloudle, a company built to make the lives of the heroes who implement and maintain Cloud services and SaaS easier. He has over a decade of experience in offensive security, hacking his way into web applications, mobile apps, wireless networks, thick clients and cloud, and container-based infrastructure. Riyaz also is a closet standup comic and loves teaching security which he does through various online blogs and publications, in-person and online training programs, community talks, conference presentations, and beer sessions.
Rohit is a Cloud security team lead with Appsecco. He has a strong passion for information security and has 7 years of experience in the field. His areas of expertise are Application Security, Infrastructure security, Reconnaissance, and Cloud security. He has led penetration testing engagements in many countries and performed numerous onsite engagements. He is an active member of the null open security community.