Cloud Penetration Testing
EthicalHat offers Cloud Penetration Testing services designed specifically for applications and databases running on (1) Amazon Web Services (AWS), (2) Google Cloud Platform (GCP) and (3) Microsoft Azure. Our cloud pen testing service addresses misconfiguration and incorrect implementation issues that may leave your cloud-hosted applications vulnerable to cyber attacks.
While moving to the cloud has numerous benefits in terms of convenience, time and resources saved and, in some cases, greater security, it also brings with it a new set of security concerns that are different from security issues faced by on-premises computing models.
Our cloud security engineers understand this difference. We can help you secure your cloud-hosted apps against intrusion attempts by outsiders, in addition to minimizing configuration errors by insiders to prevent data leaks.
Creating a pen test plan
Our security engineers start with drawing out a detailed test plan based on which cloud service provider (CSP) you are using and which application(s) you’d like the pen test to cover. This involves a deep dive into the nature of your application, data access, network protection, and your virtual machines to come up with the best possible approach for testing your app. We also make sure we are adhering to your CSP’s pen test policies at each step of the testing process.
Implementing the plan
We use the best pen testing tools available today to conduct a thorough test that covers each possible security vulnerability in every component of your app. All layers of your app (application, storage, databased, network) are tested (and documented) both separately and together to detect flaws at each level. Our selection of cloud-based test automation tools addresses apps hosted on all three major cloud service platforms today – AWS, Google Cloud and Azure.
Analysing users’ and the given platform’s automated response
Observing users’ response to a penetration test is among the most critical parts of the testing process. While a pen test is most effective when the account admin and users are unaware of it, there may be situations when we have no choice but to inform users about the pen test before it is conducted. In either case, the series of steps that affected users take to deal with the simulated attack tell us exactly where the deficits in the response are which we can then use to make the process more secure. In addition to the human response, there may be holes in the platform’s own automated response to an attack that too can be altered accordingly after a successful test.
Finding and fixing vulnerabilities
The penultimate step of the test is analysing the vulnerabilities detected during the process. The kinds of vulnerabilities we find vary based on the application, the CSP and the type of test being conducted. After analysing the security flaws detected in the app, our test team prepares a document listing these vulnerabilities based on priority, and the measures needed to fix them.
At the end of the process, we prepare a comprehensive report based on the gap between the actual and the expected response to the test, the vulnerabilities detected, and our analysis of and possible solutions to the issues found. The report includes a clear action plan for you to make your cloud-hosted application(s) more secure.
After vulnerabilities are found and fixed and the test report prepared, we conduct a remediation test to find out if the vulnerability remediation process was successful. Our pen testing team verifies if all detected issues that were to be resolved have actually been fixed, and modify the Test Report (step 5) accordingly.