Penetration Testing Best Practices
Some interesting insights on how to get the most of your pentest: from selecting the right vendor to proper project management.
Cloud security audit
Surprisingly, more and more cloud breaches happen not because of the cloud provider vulnerabilities but because of customer misconfiguration. We will carefully inspect your cloud setup from inside and outside to ensure it is secure and configured according to security best practices.
Get A QUOTE
Cloud security configuration audit
When talking about the misconfiguration problem, several factors are at play. That’s why our team provides complex security checks for your cloud system against the most common security issues and misconfigurations:
- User management, authentication, authorization, access policies
- Component isolation, security groups, VPN settings, Ingress/Egress Routing
- Object storage visibility, such as S3
- Security of serverless functions, such as Lambdas
- Hardening of metadata WebServices (which can be abused by SSRF vulnerabilities)
- Such audit requires an access to the infrastructure with read permission.
- Encryption of data-in-transit & data-at-rest
- Key management & secret management (use of vaults)
- Logging & monitoring
- DFIR-Readiness (digital forensics & incident response)
Such audit requires an access to the infrastructure with read permission.
Cloud pentest
Apart from the cloud security audit from the inside, we also offer a cloud pentest version of this service. Such an approach does not require infrastructure access to the pentesting team and fully simulates the hacker’s activities.
Typical scenarios for such cloud pentest are:
- Identifying cloud vulnerabilities exploitable by external attackers
- Simulating privilege escalation in the cloud, e.g. from a basic developer’s role
Cloud platforms
No matter what platform you use, it’s important to secure your cloud workloads. Our security check expertise covers the platforms like:
AWS
Azure
Google Cloud
Our process:
At the beginning of the project, we will collect all the input and agree on the scope of the audit/pentest.
We keep clients informed in course of the project, providing regular status updates and immediate notifications for critical findings.
1
A kick-off meeting to agree on the scope, inputs and communication
2
Cloud pentest (1-3 weeks, depending on the scope)
3
The final report that highlights the identified cloud security issues
Our methodology
We employ a combination of well-recognised cloud security guidelines, automated tools and manual verifications.
Guidelines:
- CIS Benchmarks
- Cloud security guidelines from AWS, GCP and Azure
- … and others
Tools
- Inspection tools for AWS/GCP/Azure based on CIS benchmarks
- Native tools by AWS/GCP/Azure
- Various open source tooling used where applicable
All outputs of the tools are being triaged with false positives being removed by security experts.
Check how our cloud security audit report looks like
Please contact us and we will send you a sample report of the cloud security audit.
Related materials
What is Shift Left Security? Comprehensive guide
Basics of the trendy shift-left security approach and specifically focusing on one extremely useful practise – threat modeling.
Contacts
Please tell us what are you looking for and we will happily support you in that.
Feel free to use our contact form or contact us directly.