A penetration test looks at the residual risk and vulnerability present in the application or system that can potentially be exploited by a hacker with malicious intent. It involves a simulated attack on a system by a tester who explores the various attack surfaces of the application or system. At the simplest level penetration testing involves 3 phases. The first phase is preparation, where a formal contract is executed with the client. Here the roles and responsibilities as well as the scope of testing is defined.
In cloud computing, it is very important to ensure that the scope of pen testing is appropriately determined. Since resources such as IP addresses change within the environment the penetration testers should take care to prevent accidental testing of resources not owned by the client and violating terms of service. It would be more appropriate to ensure that the ip address of pen test defined close to the date of test so that dynamic changes in IP addreses do not create issues.
Typically in the application going to cloud the scope depends on the type of cloud service used. If the client (cloud user) is using a IaaS service, then a thorough pen test must look at vulnerability in virtual machine , solution stack , application layer and APIs. However if it is Platform as service a typical pen test would involve application and API layers. SaaS vendors typically do not allow for third party pen testing unless otherwise explicitly mentioned in a service level agreement.
The next phase is Execution. Here the penetration test is executed with the tester looking for potential vulnerabilities. Pen testing is a fairly prevalent practice for any application – Not just the ones in the cloud. Open web application security project recommends nine types of pen testing categories. They are:
1. Testing of Configuration management practices
2. Testing to ensure that the business logic makes sense.
3. Testing Authentication procedures and policies.
4. Testing who has authorization over various parts of system.
5. Making sure that the session are killed aproriately after their use.
6. Validating data integrity.
7. Checking for denial of service attacks.
8. Checking to ensure web services are secure.
9. Ajax testing
These standard testing practices are necessary to application developed for cloud. However they are not sufficient! Depending on cloud deployment model additional threat vectors might need to induced. For example in a IaaS service model , owing to multi tenancy at infrastructure level, deficiencies in virtualization security like improper VM zoning , segregation must be tested by using the inter VM security/ vulnerability testing.
The last phase of penetration testing is Delivery. Here the results of evaluation are communicated to tester’s contact in the host organization and corrective actions are advised. It is important to maintain logs of all previous pen tests and share it with the tester in order to see the delta improvements in the security posture of the company.
In cloud computing, it is very important to ensure that the scope of pen testing is appropriately determined. Since resources such as IP addresses change within the environment the penetration testers should take care to prevent accidental testing of resources not owned by the client and violating terms of service. It would be more appropriate to ensure that the ip address of pen test defined close to the date of test so that dynamic changes in IP addreses do not create issues.
Typically in the application going to cloud the scope depends on the type of cloud service used. If the client (cloud user) is using a IaaS service, then a thorough pen test must look at vulnerability in virtual machine , solution stack , application layer and APIs. However if it is Platform as service a typical pen test would involve application and API layers. SaaS vendors typically do not allow for third party pen testing unless otherwise explicitly mentioned in a service level agreement.
The next phase is Execution. Here the penetration test is executed with the tester looking for potential vulnerabilities. Pen testing is a fairly prevalent practice for any application – Not just the ones in the cloud. Open web application security project recommends nine types of pen testing categories. They are:
1. Testing of Configuration management practices
2. Testing to ensure that the business logic makes sense.
3. Testing Authentication procedures and policies.
4. Testing who has authorization over various parts of system.
5. Making sure that the session are killed aproriately after their use.
6. Validating data integrity.
7. Checking for denial of service attacks.
8. Checking to ensure web services are secure.
9. Ajax testing
These standard testing practices are necessary to application developed for cloud. However they are not sufficient! Depending on cloud deployment model additional threat vectors might need to induced. For example in a IaaS service model , owing to multi tenancy at infrastructure level, deficiencies in virtualization security like improper VM zoning , segregation must be tested by using the inter VM security/ vulnerability testing.
The last phase of penetration testing is Delivery. Here the results of evaluation are communicated to tester’s contact in the host organization and corrective actions are advised. It is important to maintain logs of all previous pen tests and share it with the tester in order to see the delta improvements in the security posture of the company.
No comments:
Post a Comment