Cloud App Security Testing


Most of the web applications are moving to cloud technology. While this enhances the application functionality, it also introduces security issues. Since everything is virtual in case of a cloud hosting, it is difficult to gain fine grain control of the "data at rest" and "data in transit".

Cloud computing technology offers three basic models of implementation. Infrastructure as a service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS). Securing cloud environments is a sweeping proposition that touches on the topics of virtualization security, access control, data protection and a host of other areas.

How do we Secure Cloud Applications?

Aspire Networks possesses years of security experience ranging from corporate networks to recent customers requiring cloud computing security. Unlike most other security consultancy offerings, in case of cloud security the approach is purely from design perspective. We deep dive into the cloud architecture, and identify various attack vectors which range from network layer of cloud design, to the cloud aware applications running on virtual data centers or virtual development centers. Cloud security also includes that of web authentication portals which call the cloud service providers API calls. Customers of Aspire Networks involve us right from design phase, to the implementation phase.

Cloud App Security Features

The cloud application penetration testing service is different than a simple website security assessment. It extends the testing methodology to cloud scenarios such multi-tenant privilege escalation, user role privilege escalation.

Exploit Categories

  • Cloud VPC Network Security Exploits
  • Cloud Web Layer Exploits
  • Cloud Web Service Exploits
  • Authentication problems
  • Configuration problems
  • Database related problems

Standards Followed

  • OWASP Top 10 - 2014
  • NIST - CWE Standard

Vulnerabilities Detected

  • SQL Injection
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Forms Input Forgery
  • Code Inection
  • Cookie Poisioning
  • 400+ other vulnerabilities

Test Approaches

  • Black Box
  • Gray Box


Process

We follow a systematic and yet agile approach to test website security. This helps our customers gain an extremly accurate and elaborate results along with a knowledge base and years of experience on the subject matter.

Before Testing Starts

  • Sign NDA
  • Freeze on scope
  • Cross Site Request Forgery (CSRF)
  • Study Cloud App Architecture
  • Study Cloud User Roles
  • Decide attack vectors and prioritize
  • Allocate single point of contact

During Testing

  • Black box testing
  • Gray box testing
  • Automatic and Manual Testing
  • Testing Phases
  • Reconnaissance
  • Scanning
  • Gaining Access
  • Maintaining Access
  • Covering Tracks
  • Gathering Logs

After Testing

  • Analyse logs
  • Confirm results
  • Apply Knowledge
  • Apply Experience
  • Repeat Test if required

Testing Outcome

  • Detailed technical report
  • Executive summary
  • High level fixation solutions
  • Certificate of testing completion (optional)


Benefits

Security testing is a continuous improvement process to get benefited in terms of increasing ROI (Returns On Investment). Benefits of a pen-test are short term as well as long term.

Cloud App Security Benefits

  • Secure cloud application from hackers
  • Prevent information stealing
  • Prevent cross-client information leakage
  • Prevent monetory loss
  • Prevent reputational loss
  • Induce confidence in customer
  • Increased ROI for IT investments

Copyright © 2018 Aspire Tech, All rights reserved.