web-cloud-app-difference

This article talks about basic differences between web and cloud apps. It further explains what a pentester needs to think about, while performing vulnerability assessment and penetration testing of each of the app types.

The difference is simple really – Web based application (or webapp) is hosted on a set of servers which are not scalable. Whereas a cloud based application (or cloudapp) is hosted on commercial cloud such as Microsoft Azure, Amazon AWS or google cloud. To explain further in a twisted way ….

All cloudapps are webapps, but all webapps are not cloudapps.



Web Apps

Cloud Apps

Are not scalable in terms of CPU, Memory, Network, Storage

Are easily scalable. Scaling can be up or down depending on the usage

Hosted at one location (datacenter)

Can be hosted across multiple datacenters

Are accessed via browsers

Are accessed via browsers or mobile apps or custom applications (exe, jar, bin)

Cannot offer highest possible uptime

Can offer practically 100% uptime

Data cannot be stored redundantly

Data copied can be stored redundantly and very easily

Does not support multi-tenancy (at least very easily)

Multi-tenancy can be achieved very easily

Migration to different location is not possible, at least not without downtime

Migration to different location along with data, can happen transparent, without any downtime

Can be offered to users in an as-is condition, not as a SaaS or PaaS

Can be easily offered as a SaaS or PaaS solution

Very cumbersome to host as REST based API’s

REST API can be implemented easily due to the nature of application hosting

Needs additional systems to ensure security and monitoring

Commercials clouds come with multiple default services such as security and monitoring and more

Webapp and Cloudapp and Pentester

While performing VAPT or Pentest for webapp, a pentester followed OWASP Top-10 guidelines and find the security holes. If you see carefully, there are no clear TOP-10 guidelines for a cloud app. Below items are to be taken into account by a pentester.

  • Don’t treat cloud app as just a webapp. There are some specific vulnerabilities which are to be thought of extra.
  • Multi-tenancy related security checks are to be considered. In case of cloud app, one single url would be accessed by multiple customers of it, each customer being a different organization. Further, each of those organizations would have their own admin or regular user configured on that cloud app. Thus it becomes important for a pentester to see if one organization’s data could be inadvertently leaked to another organization. This is indeed a scary situation from data confidentiality and integrity perspective, and hence needs to be addressed in pentesting the cloudapp.
  • Hosting firewall and server hardening needs to be considered. Usually organizations take for granted, that if they are on cloud then they are secure. In reality its not true. This is because, no server in any hosting facility (cloud or otherwise), be secure by default. The same goes with firewall. Hence it becomes critical that both of these components should be tested for possible vulnerabilities.
  • There are multiple other checks that a pentester needs to take into account while performing pentest for a cloud app. A cloud app may be using built-in facilities of the commercial cloud service providers such as elastic search, cloud blobs, AWS buckets, Azure Vault, security center, security monitoring etc. These services are provided by cloud service providers, who are commercial giant and proficient in their technology. However when the application developers user these facilities via their code, it can open up a vulnerability.

As a summary – a pentester can treat a cloud app like just another web app and follow the OWASP Top-10 standard checklist. However its important to remember that there are other areas to be tested too, to reach the total security.