Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more. But most of the organizations are in a notion that security is a service providers job. Yea, I do agree but at the same time we are also responsible to ensure the security of the application which we put on cloud. Conducting Penetration Testing on your own application on Cloud should be done meticulously.
There is process to start with and there are quite many factors to think before performing penetration testing on a cloud network. Before that you need to know cloud service models,
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
SaaS (Software as a service)
In this service, client would be provided an access to application services which are already installed in the server. Since it’s already built, client don’t even need to worry about installations, coding, patches. Client can access the software with their browsers. To avail this client don’t even need to download or install anything. Each and everything would be provided by the cloud service providers. The only thing that client need to do, pay for the usage. For example Hotmail, Gmail are considered as SaaS. You do not own the applications but you’re using the services which are provided by Google or so.
IaaS (Infrastructure as a service)
In this service, client would be provided with the infrastructure required like VMs, WAF, Load balancers, VLANs. It’s more like a building your own software infrastructure with resources provided by the Cloud service providers. This is helpful in cost reduction, maintenance. Client just need to pay for the resources they avail. IaaS clients have more control over their infrastructure than clients of PaaS or SaaS services. But this require a lot of technical knowledge. There’re quite many IaaS providers, Amazon Web Services, Microsoft Azure, Rackspace are most popular.
PaaS (Platform as a service)
In this service, client would be provided with a platform on which software can be developed and deployed with ease. Platforms includes operating systems, preinstalled database, web server, hardware and network infrastructure are taken care of service providers, so client just need to think about business and development. So most of the organizations prefer PaaS to avoid investing in hardware resources. Client just need to pay for the platform and resources which has been picked. Again Microsoft Azure services is most popular and widely used.
I hope now you have a good understanding on SaaS, PaaS, and IaaS models. Apart from these models you need to know what is Public, Private cloud hosting. I’ll just make it simple for you. Just make a note of it, here security comes into the picture.
Public cloud hosting, here service providers use the internet to make resources available to the public but you need to pay for the usage. These are inexpensive since hardware, bandwidth costs are covered by the provider itself. Biggest disadvantage is that your server is in a different country which is governed with different security policies. Private cloud hosting, here service providers assure security of your resources, web server which could be under firewall protection. Compared to public cloud, private cloud more secured but it’s expensive.
You may wonder, the title of this article is misleading. Why do you need to know all these penetration testing of your own application. You may end up somewhere if you just Pen-test your cloud based application without any approval of cloud service providers. Moreover they would consider this as Hacking. Since when you’re testing, you may send too many requests to the server which could be considered as Denial of service attack. That’s the reason you need an acknowledgement from service providers to initiate pentesting.
To test the applications in IaaS/PaaS models, you should know what are the other applications and technology running in your own cloud and also you need to get an access to all your servers & hosts including databases to perform internal penetration testing(when you’re in the network). Then you can start with authenticated scanning, testing authentication etc… The main reason behind this testing would be, you need to know what an intruder can do when he’s already inside the network. That’s how you can analyze how secure you’re. You can not perform external(outside the network) penetration testing unless you get an approval from providers. Even though it’s not effective since many service providers use Firewalls, WAF, Honeypots, IDS, IPS to prevent scanning, Denial of service and other attacks.
In general, cloud service providers assure security of network, infrastructure but not the security of your application. So we can Pen-test our applications to find the client-side vulnerabilities. You may cover OWASP top 10 web vulnerabilities. Before that there’re few cornerstones which need to consider.
Design a Penetration Testing Plan
You should have a SLA (Service level agreement). This will vary for model to model again. That’s the reason we need to the different types of service models as mentioned above. Define what is in scope. what are the applications, databases would be involved in this testing. If you’re availing IaaS or PaaS models, you may need to audit the architecture design, patch management documents and policies. How the features would be tested. What are tools to employ and adopted methodology to perform penetration-testing. It’s our responsibility to state who is responsible for what through this SLA.
Read policies & get an approval for pentesting from the service provider
Most popular CSPs Microsoft Azure, AWS. Both providers has their own policies. You need to send a request from their portal mentioning the tools you been using, features to be tested etc.
Microsoft Azure: https://security-forms.azure.com/penetration-testing/terms
You need to make sure to work with your service provider for recommendations when you perform pen testing. Most will have a process to follow that will yield the best results from your effort.
Tools to employ
We must choose right tools for testing. You need to mention the automated tools which you’ve employed for testing such as Burpsuite, ZAP etc..You need to have a clear picture and should be documented, how you gonna start testing and what are the commands you’ve issued while testing. Taking screenshots is a best practise even for reporting and for your documentation. You should never use tools which simulate an actual attack such as DOS. There are few standard tests that you can perform such as Open Web Application Security Project (OWASP) top 10 vulnerabilities mainly SQL injections. Fuzz testing of your endpoints. Port scanning of your endpoints.
Once you’re done with testing, you need to document all your findings with screenshots and how you’ve encountered. Technical report should describe in detail the scope, information, attack path, impact and suggestions of the test which helps your dev team to fix the vulnerabilities where as the executive summary should state risk ranking. Here’s what I think about reporting. Anyway it varies from org to org.
If you think I miss anything, please post a comment below. If I am wrong then I can be corrected.
To avoid copyright issues, I am adding the link of original article of my blog. https://seleniumbycharan.wordpress.com/2016/12/04/cloud-based-applications-penetration-testing/