Cloud Application Pen Testing

Cloud Application Pentesting

With the growth of cloud computing, Penetration testing deployment is becoming bit difficult due to its shared responsibility model. Cloud computing brings concept of shared ownership to penetration testing. We will discuss here about the cloud, as well as provide tricks and tips for pen testing it.

Cloud using shared responsibility

Here are two terms that needs to be familiar with:

  • Provider :
  • The entity that built the cloud deployment, and is offering metered service to one or more tenants.

  • Tenant :
  • The entity that is contracting the metered service from the provider.

One thing needs to be checked when determining scope is whether the organization is a cloud provider or tenant. May be multiple clouds where the organization acts as a provider for one, and a tenant for others. Cloud is emerging technology because it’s provide solution for data storage, infrastructure and services on demand. As number of enterprises migrating to the Cloud are increasing, the chances of breaches threats and vulnerabilities increase day by day. Enterprises face unique challenges in protecting their resources over the various models of the Cloud. Most of the enterprises migrate to the Cloud by using following different models: IaaS, PaaS or SaaS.

Cloud Service Models

The service model defines which resources the provider needs to be taken care as well as which resources the tenant will be responsible for supplying:

Infrastructure as a Service (IaaS): Hardware and Network connectivity has been supplied by the provider. The tenant is responsible for the Virtual machine and everything that runs within it.

Platform as a Service (PaaS) : The provider supplies all the components required to run the application and the tenant supplies the application they wish to deploy.

Software as a Service (SaaS) : The provider supplies the application and all the components required to run it.

Service model directly impact the scope of testing. It is important whether the target system is running within an IaaS , PaaS or SaaS configuration.

Multi-tenancy and SaaS

A tenant is any application which can be either inside or outside the enterprise. They need their own secure and exclusive virtual computing environment. All tenants (interactive applications) have to be multi-user in nature.
Single Tenant Model – Each customer has a separate instance of the software which runs their own logically isolated hardware environment.

Multi-Tenant Model – All the customers share the common software instance and hardware infrastructure.

We can say that the heart of the better economics of the cloud is Multi-tenancy as it allows demand pooling. 
Why multi-tenancy is critical from security point of view. SaaS provides application on demand services such as software, email, and other business applications such as ERP, CRM, and SCM. The adoption of SaaS applications may raise some security concerns.

SaaS provides efficient use of the resources with limited scalability. Data of multiple tenants is likely to be stored in the same database, so the risk of data leakage between them is high. They should have Security policies to ensure that customer’s data are kept separate from other customers.

In SaaS, provider is the one responsible for everything related to data process, store and the security. In case of disaster, data backup is a critical aspect in order to recover in future. Sometimes cloud providers can also subcontract other services such as backup from third-party service providers, which may raise risk.

PaaS and IaaS clouds will permit pen testing. However, SaaS providers are not likely to allow customers to pen test their applications and infrastructure. For example if we are being contracted by a tenant, an IaaS service model would require the most testing but for the tenant used in SaaS based service model would be required little to no testing .In the worst case, there could even be an unintended information leak from another cloud customer.
Services provide to Cloud Application Penetration Testing.

Saas, IaaS and Paas Pentest

  • Internal Pen test & External Pen test
  • Multi tenant Cloud Security Solutions
  • Protection of Data
  • User Access Control Management
  • Cloud Visibility and Discrepancy Detections
  • On-Premise Solutions in Hybrid Cloud security testing
  • Cloud based Solutions in Hybrid Cloud security testing

Here we discussed how to approach cloud-based pen testing.

1: Understand the policies of the cloud provider
Public clouds have different policies related to pen testing. your pen test could take up so many resources that it affects the others on the cloud. Public clouds are multitenant and therefore must manage resources between tenants.

2: Create a pen-testing plan
To pen test cloud application it is necessary to create a pen-testing plan. It should include:

Specific Application: Identify and include user interfaces.

Network access: Check how well the application and data has been protected by the network.

Data access: Check how the data will be pen tested through the application to the database.

Virtualization: Identify how well your workload can be isolated by the virtual machines.

Automation: Identify the automated pen-testing tools

Compliance: Identify the laws and regulations you need to follow within the application or database.  

Approach: Identify the application admins to include or exclude in the pen testing.

3: Select your pen-testing tools
There are many cloud-based pen-testing tools that may be more cost-effective. Some times that can be the case when pen-testing tools can’t meet requirements of Application, so maintain Application will cost way more than if you leverage an existing tool.

4: Observe the Automated response
Automated responses should be documented. So that one can find any deficits in how the system and humans responded to the threat, and thus how well the system is secured.

5: Find and eliminate vulnerabilities
List of vulnerabilities that are discovered by the pen testing. It can be hundred issues or as few as two or three. If there are none, then your pen test may not be as effective as it should be. Some vulnerabilities found while pen testing cloud-based applications look something like this:

  • Virtual Machine not able to isolate the workload properly.
  • Virtual Private Network allows outside access if DNS is disabled.
  • Encryption not complaisant with new regulations

Many Other problems.
Of course, the types of issues varies, depending upon the type of application and type of pen testing you run.
Penetration Testing techniques in the Cloud

When performing cloud pen tests we need to coordinate with the Customer Service Provider(CSP) for scheduling and performing the test, each CSP has different processes and requirements related its scheduling. Many attacks in cloud cause an increase in resource consumption and system memory as cloud resources are usually hosted on multitenant platforms. Multitenant environment, this could negatively impact other customers’ resources, so most CSPs will explicitly cause any DoS attacks, other exploits or scans. CSP has much more control over their own tests.


This figure gives us a nice reference to quickly identify which cloud layers could be considered in scope for our penetration testing. Color shows which layers fall under the responsibility of the User, tenant or the provider.
As given in the above figure, PaaS or SaaS, the OS or VM resources are controlled by another entity, so they would be considered out of scope. The test strategy changes if the testing is to be done for the Cloud Service Provider or the Tenant.

Final pen-testing suggestions

Needs to make sure that there are different layers like Application, Network, Database, Storage system, etc., it should be tested separately, and issues should be reported separately. Also test them together to see how they interoperate and if there are issues there as well.

How to perform multi-tenancy checks in cloud app testing
Multi-tenancy pen test involve testing of security, data integration, performance, and scalability, among others.

  • Security and Privacy Testing : Being in a multi-tenant environment, SaaS applications need to ensure accessibility when multiple user use it simultaneously with different privileges. It also ensure that data of one tenant cannot be shared with another tenant. Sometimes security testing includes testing of cookies and SQL injections.
  • Performance testing
  • : Identify the most used parts of the applications and check their performance.

  • Integration and Migration : challenging task to test for integration of different component and at the same time data validation for maintaining data security and privacy.
  • Licensing : Licensing of SaaS applications varies on usage, functionality and number of concurrent users. Making sure that it should be valid.

We can say that Pen testing is very important for cloud Applications. It’s the only way to prove that your cloud-based applications and data are secure enough to allow the maximum amount of user access with the minimum amount of risk.