Could Penetration Testing is a method of actively checking and examining the Cloud system by simulating the attack form the malicious code .
Cloud computing is the shared responsibility with Cloud provider and client who earn the service from the provider. Due to impact of the infrastructure , Penetration Testing not allowed in SaaS Environment. Cloud Penetration Testing allowed in PaaS, IaaS with some Required coordination. Regular Security monitoring should be implemented to monitoring the presents of threats, Risks and Vulnerabilities.
SLA contract will decide what kind pentesting should be allowded and How often it can be done.
Important Cloud Computing Penetration Testing Checklist:
- Check the Service level Agreement and make sure that proper policy has been covered between Cloud service provider (CSP) and Client .
- To maintaining the Governance & Compliance ,check the proper responsibility between Cloud service provider and subscriber.
- Check the service level agreement Document and track the record of CSP determine role and responsibility to maintain the cloud resources.
- Check the computer and Internet usage policy and and make sure it has been implemented with proper policy.
- Check the unused ports and protocols and make sure services should be blocked.
- check the data which is stored in cloud servers is Encrypted by Default .
- Check the Two Factor Authentication used and validate the OTP ensure the network security.
- Check the SSL certificates for cloud services in the URL and make sure certificates purchased from repudiated Certificate Authority (COMODO,Entrust,Geoturst ,Symantec,thawte etc.)
- Check the Component of access point, data center, devices, using Appropriate security Control.
- check the policies and procedure for Disclose the data to third parties.
- Check if CSP offers for cloning and virtual machines when Required .
- Chcek the proper input validations for Cloud applications to avoid the web application Attacks such as XSS,CSRF,SQLi etc .
Cloud Computing Attacks:
Session Riding ( Cross-Site Request Forgery)
CSRF is an attack designed to entice a victim into submitting a request, which is
malicious in nature, to perform some task as the user.
Side Channel Attacks
This type of attack is unique to the cloud and potentially very devastating, but it requires
a lot of skill and a measure of luck.
This form of attack attempts to breach the confidentiality of a victim indirectly by exploiting the fact that they are using shared resources in the cloud.
Signature Wrapping Attacks
Another type of attack is not exclusive to a cloud environment but is nonetheless a
dangerous method of compromising the security of a web application.
Basically, the signature wrapping attack relies on the exploitation of a technique used in web services.
Other Attacks in Cloud Environment:
- Service hijacking using network sniffing
- Session hijacking using XSS attacks
- Domain Name System (DNS) attacks
- SQL injection attacks
- Cryptanalysis attacks
- Denial-of-service (DoS) and Distributed DoS attacks
Important Consideration of Cloud Penetration Testing:
- Performing the Vulnerability Scanning in available host in Cloud Environment
- Determine the Type of Cloud whether it is SaaS or IaaS or PaaS.
- Determine what kind of testing permitted by the Cloud Service provider
- Check the Coordination, scheduling and performing the test by CSP.
- Performing Internal and External Pentesing.
- Obtain Written consents for performing the pestesting.
- Performing the web pentesting on the web apps/services without Firewall and Reverse Proxy
Important Recommendation for Cloud Penetration Testing :
- Authenticate users with User name and Password.
- Secure the coding policy by giving attention Towards Services Providers Policy
- Strong Password Policy must be Advised .
- Change Regularly by Organization such as user account name , password assigned by the cloud Provers.
- Protect information which is uncovered during the Penetration Testing.
- Password Encryption Advisable.
- Use centralized Authentication or single sign-on for SaaS Applications.
- Ensure the Security Protocols are up to date and Flexable.
Important Tools For Cloud Penetration Testing:
This suite can enable four types of testing on a single web platform:mobile functional and performance testing and web-based functional and performance testing.
LoadStorm is a load-testing tool for web and mobile applications and is easy
to use and cost effective.
BlazeMeter is used for end-to-end performance and load testing of mobile
apps, websites, and APIs.
Nexpose is a widely used vulnerability scanner that can detect vulnerabilities,
misconfigurations, and missing patches in a range of devices, firewalls, virtualized
systems, cloud infrastructure.
AppThwack is a cloud-based simulator for testing Android, iOS, and web
apps on actual devices. It is compatible with popular automation platforms like
Robotium, Calabash, UI Automation, and several others.