Process

We follow a systematic and yet agile approach to test website security. This helps our customers gain an extremly accurate and elaborate results along with a knowledge base and years of experience on the subject matter.

Cloud App Security Process

Before Testing Starts

  • Sign NDA

  • Freeze on scope

  • Study Cloud App Architecture

  • Study Cloud User Roles

  • Decide attack vectors and prioritize

  • Allocate single point of contact

After Testing

  • Analyse logs

  • Confirm results

  • Apply Knowledge

  • Apply Experience

  • Repeat Test if required

Testing Outcome

  • Detailed technical report

  • Executive summary

  • High level fixation solutions

  • Certificate of testing completion (optional)


What is cloud penetration testing?

Cloud Penetration Testing is an authorised derived cyber-attack against a system that is hosted on a Cloud provider, e.g. Amazon's AWS or Microsoft's Azure.

The main goal of a cloud penetration check is to seek out the weaknesses and strengths of a system, so its security posture may be accurately assessed.


Can you pentest AWS? How do you do AWS penetration testing?

WHAT PENETRATION TESTING CAN BE PERFORMED IN AWS? AWS permits security testing for User-Operated Services, which includes cloud offerings created and configured by the user. For example an example, a corporation can totally take a look at their AWS EC2 instance excluding techniques associated with disruption of business continuity like launching Denial of Service (DOS) attacks.

Pentests involving vendor Operated Services, that are those cloud offerings that are in hand and managed by a third-party vendors, are restricted to the implementation and configuration of the cloud setting and not the underlying infrastructure. For example, AWS services like Cloudfront and the API gateway configuration is also pentested however the hosting infrastructure is off limits. Elastic Cloud Computing (EC2) is an AWS service that is usually penetration tested. In an AWS EC2 instance, specific areas that enable penetration testing include:

  • Application Programming Interface (API) (e.g. HTTP/HTTPS)
  • Web and mobile applications that hosted by your organization
  • The application server and associated stack (e.g. programming languages such Python, React)
  • Virtual machines and operating systems.
These areas don't seem to be the bounds of what may be penetration tested, however are ordinarily enclosed throughout an AWS pentest.

WHAT CAN?T BE TESTED IN THE AWS CLOUD?
Many of AWS services are supported by the Software-as-a-Service (SaaS) model, which implies that the user doesn't own the environment and can't be pentested in the same means as in a traditional on-premise environment or Infrastructure-as-a-Service (IaaS) model. However, the configuration and identity of those SaaS services can be tested from a black box engagement or even through a security audit. Additional things that cannot be pentested within the AWS cloud due to legal and technological constraints:
  • Services or applications that belong to AWS (IE: SaaS offerings as previously addressed);
  • The physical hardware, underlying infrastructure, or facility that belong to AWS;
  • EC2 environments that belong to other organizations (such as partners or vendors)
  • Security appliances that are managed by other vendors without their permission;
  • Amazon?s small or micro Relational Database Service (RDS).

HOW DO AWS METHODOLOGIES DIFFER FROM TRADITIONAL PENTESTING?
Most of those variations refer back to the possession of the systems. Since Amazon owns the core infrastructure, the methodology invoked utilized in traditional ?ethical hacking? would violate the AWS acceptable use policies and possibility invoke incident response procedures by the AWS security team.

Pentesting AWS should instead target user-owned assets, determine and accesses management user permissions configuration, and use of the AWS API?s that are deeply integrated into the AWS scheme. For example, targeting and compromising AWS IAM Keys, Testing S3 bucket configuration and permission flaws, establishing access through Lambda backdoor functions, and covering tracks by obfuscating Cloudtrail logs. These ways for attack are specific to AWS Cloud and need specific knowledge and approach.

WHAT STEPS SHOULD I TAKE BEFORE THE PENTEST?

Performing a pentest among the cloud needs adequate coming up with and knowledgeable information. General steps and preparation that should be taken before the pentest begins include:
  • Defining the scope, including the AWS environment and target systems
  • Run your own preliminary
  • Determine the kind of pentest you'd like to be conducted (e.g. black box, white box, gray box)
  • Outline expectations for both internal stakeholders and the Pentesting company
  • Establishing a timeline for the technical assessment to occur, receive formal reports, and potential remedy and follow-up testing
  • Developing the protocol associated rules of engagement if the pentest reveals the client might have been broken or is under an in live progress (ongoing)attack
Obtaining written approval to conduct the test by the client (and other third parties that may be involved). You will need to:
  • Fill out penetration test request form
  • Tell AWS the dates that testing will take place
  • Tell AWS the IP Address range the scan or penetration testing will come from
  • Tell AWS the IP Address range being tested (scope)
Not all of those queries are straightforward to answer and may cause further queries. What?s necessary is clearly shaping the scope, objectives, and rules for the AWS Pentesting to require place. This can facilitate avoid expensive, long mistakes in a while and assist you in determinative the proper Pentesting company.

UNDERSTAND YOUR SCOPE AND OBJECTIVES

Organizations should perceive the aim of conducting a pentest within the AWS cloud before the test. The objectives ? ordinarily driven by legal, regulatory, or alternative industrial needs ? can develop and guide each of the pentesters and the organizations together with the frequency and scope.

For example, the Payment Card trade (PCI) needs that merchants perform annual internal and external network pentests with reference to their cardholder information setting (CDE). This includes a pentest against segmentation controls if the businessperson has segmental their CDE. However, service providers that are under PCI must conduct a pentest against the segmentation controls of the CDE every six (6) months as opposed to annually.

Understanding these requirements will help ensure that organizations conduct pentests that meet both their organizational and security obligations.

PENETRATION TEST
Also, Kindly visit the following URL to know more about AWS Penetration testing! https://aws.amazon.com/security/penetration-testing/


How do you assess cloud security?

The cloud security is assessed through testing it against OWASP Top 10 issues.
The OWASP Cloud top ten provides tips on what organizations ought to specialize in once coming up with and establishing cloud environments.

  1. Accountability and Data Ownership
  2. Since cloud service suppliers have partial or full management over information, organizations renounce specific rights to their information and full transparency of how it's been maintained and handled. To minimize risk, organizations have to be smart to know the authentication and encryption protocols their cloud suppliers use and their threat news and observation policies.
  3. User Identity Federation
  4. User authentication and authorization in cloud computing platforms is crucial to enterprise security. Several organizations typically implement SAML (Security Assertion Mark-up Language) for access management in cloud applications. However, cybercriminals will simply gain access to cloud platforms if this resolution isn't enforced properly. Organizations need to implement advanced identity and access management solutions like provisioning software, password management tools, security policy enforcement tools, identity repositories, and reporting and monitoring apps to mitigate risk.
  5. Regulatory Compliance
  6. The physical location of the data center used by cloud providers to store data can lead to regulatory compliance problems. Data storage privacy laws can differ between countries, including legal access by authorities, and tax law variances. Therefore, companies need to find out how compliance applies in that region. To avoid compliance issues, choose a cloud provider willing to share its data centers? locations. Additionally, make sure that your provider understands the laws applied in those regions.
  7. Business Continuity and Resiliency
  8. Cloud service providers are reliable for ensuring continuous operations in case of an incident. To ensure this, organizations must create a robust business continuity and disaster recovery plans. Without plans, lack of availability can result in revenue loss. Organizations need to ensure that their Service Level Agreements (SLAs) cover a volatile business continuity process.
  9. User Privacy and Secondary Usage of Data
  10. Public cloud environments use the public Internet to transfer data, making it possible for anyone to use or purchase it. Additionally, many integrated services use shared settings, and data is frequently collected to serve specific ads, placing the user?s data privacy at stack. Organizations need to ensure to verify the user data usage settings in their cloud configuration and third-party integrations. Organizations and their cloud providers may have differed data privacy regulations. Therefore, SLAs must include provisions for all these regulations.
  11. Service and Data Integration
  12. The interconnected nature of cloud services and different encryption levels can put data at risk during migration to and from the cloud. To mitigate risk and protect information confidentiality, strong data encryption protocols, like SSL/TLS, should be implemented. Regardless of the protocols used, organizations should regularly verify whether the data is being sent securely.
  13. Multi-Tenancy and Physical Security
  14. In cloud computing, multi-tenancy refers to shared hosting, where server resources are separated within different users. As powerful as this solution may be, it can lead to security vulnerabilities if server resources are not logically separated from each other. To reduce the risk, cloud providers should configure the server for logical separation to isolate each user?s resources. Encryption technologies like Virtual Private Cloud (VPC) can be useful in preventing shared infrastructure.
  15. Incidence Analysis and Forensic Support
  16. The incident analysis process includes investigating log files and related data. In cloud environments, incident analysis can be severe because the necessary log files are not centralized and not simply accessible. Also, log data often involves information on other users, and audit access may be restricted due to shared resources. Understand how your cloud provider handles, evaluates, and correlates event logs. Use third-party monitoring solutions and Virtual Machine (VM) images to make sure the immediate accessibility of your log files.
  17. Cloud Infrastructure Security
  18. Cloud infrastructure involves the resources needed to build a cloud environment, i.e., storage, hardware, network, and virtualization. However, one cannot audit proprietary cloud platforms or processes and fully define who has administrative access to your environment. Organizations can impose traditional security measures, such as applying security patches and updates and regular vulnerability assessments. They can also use advanced practices such as isolating infrastructure components with network Access Control Lists (ACLs) and configuring administrative roles and privileges.
  19. Non-Production Environment Exposure
  20. Staging environments are typically less secure than production ones to enable easier testing and development. Developers often use default credentials in staging, even though it can include live data for testing purposes. As a result, attackers can exploit the weak security in non-production setups to steal data related to product development. Avoid using real or sensitive data in non-production environments. Ensure that anyone working in these environments have privileged access measures in place. Additionally, make sure to weight the ?privacy by design? approach by imposing necessary processes and data protection best practices throughout the entire project lifecycle.

Valency's approach

Black box testing

They are professionals who have no knowledge of the internal structure of the system or the network.

Grey box testing



They are professionals with partial knowledge of the internal workings of an application or networks. This test often reveals context specific errors related to the web applications

Cloud Security Testing (VAPT) Consultancy vendor company, Process

Automatic and manual testing

Cloud Security Testing (VAPT) Consultancy vendor company, Cloud App Security Process


For certain vulnerabilities like cross site scripting (XSS) and SQL injection, automated scanning tools are used as they have the ability to find the vulnerabilities quickly and systematically. Whereas manual testing is used to cross check false-positive or false-negative results shown by automated testing tools and to run customized scripts to identify application-specific vulnerabilities.

Testing phases

Reconnaissance




Also known as foot printing. It?s a process of gathering data or preliminary inspection of an area of interest over a short period of time.

Cloud Security Testing (VAPT) Consultancy vendor company, Scanning

Scanning

Cloud Security Testing (VAPT) Consultancy vendor company, Gaining Access


Collect more detailed information based on previous phase. Also known as enumeration

Gaining access




This is the actual attack phase; so, the risk level is considered highest

Cloud Security Testing (VAPT) Consultancy vendor company, Scanning

Maintaining access

Cloud Security Testing (VAPT) Consultancy vendor company, Gaining Access


If the intentions of the hacker will not be satisfied by acquiring access then maintaining that access is also important.

Covering tracks



It is in the best interest of the hacker to erase his fingerprints from the scene. Rootkits to an extent does the job, but a hacker can modify log files to hide all those programs or applications that he has installed, from the view of the computer system.

Cloud Security Testing (VAPT) Consultancy vendor company, Gaining Access

Gathering logs

Cloud Security Testing (VAPT) Consultancy vendor company, Scanning



Keeping a record of the scans or reports gathered from the attack/scan performed.

Testing outcomes:

Cloud Security Testing (VAPT) Consultancy vendor company, Gaining Access

Detailed technical report In the detailed technical report we include the entire process followed while performing VAPT on cloud based web application or any services. It includes the tests performed, vulnerabilities found, risk severity, attachment of the evidences, etc.

Executive summary It contains brief explanation of the entire Process and the finding. To make it more understandable for clients we also use graphical and chart representation of the vulnerabilities found and attacks possible on the same

High level fixation solutionswe not only deliver you our findings on the vulnerabilities and risks, but also share the best possible solutions for the same. Our fixation solutions are also found much accurate and efficient by our customers/clients.


What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.