Welcome to the repo of my conference talks. I am a pentester and independent cloud security researcher. This repository includes presentations from various conferences where I have spoken on security & cloud security topics.
June 17th, 2024
Summary: Cloud penetration testing has evolved significantly, providing ample learning resources, from attack technique encyclopedias to numerous security blogs. However, a critical gap remains in teaching new cloud pentesters how to integrate this wealth of knowledge effectively.
This talk addresses the critical gaps in existing AWS pentest methodologies and introduces my practical approach developed to navigate these challenges effectively. I'll also discuss the limitations of a methodology made by one person and the critical role of open source-driven methodologies in shaping industry standards.
Key Takeaways:
- The necessity of a community-accepted AWS pentest methodology.
- An invitation to other AWS pentesters to help build off my methodology, create a methodology we can agree on, and then find a suitable place to host it.
Inspiration: The talk was inspired by the existing gaps in penetration testers' free learning materials and a rise in "AWS Pentesting Trainings" which we were behind paywalls. There was a need for a free comprehensive methodology that covers multiple accounts and AWS organizations. I initially planned to present a talk about my work at fwd:cloudsec NA 2023 but missed the CFP window. Instead, I released it as a blogpost which became quite popular.
After feedback from other pentesters trickled in, I realized that the entire industry was lacking a consistent methodology and that a simple medium blogpost wouldn't be enough to move the industry needle. We needed a grass-roots project to develop a methodology together that had practitioner consensus... and I could be the person to get that started.
Tools and Methodologies: While the presentation highlights various tools, the focus remains tool-agnostic, emphasizing problem spaces those tools address to ensure the material remains relevant in the future.
- Recording: Open-sourcing AWS Pentest Methodology - fwd:cloudsec NA 2024
- Slides: Open-sourcing AWS Pentest Methodology - fwd:cloudsec NA 2024
For questions or feedback about the presentations, feel free to reach out via:
- The Cloud Security Forum Slack
- @MorattiSec on X (Twitter)
- @MorattiSec on Mastodon
If you would like me to speak at a conference please also contact me through one of the above methods. Please be advised that my availability to speak will also be based on conference location.