One of the many challenges facing organizations these days is that certain parts of the business are either moving to SaaS or is already in the cloud. This brings a unique problem for everyone responsible for maintaining the web applications’ availability, performance, and functionality. Organizations often struggle to secure and protect business and customer data. In the past, all the layers of the OSI model would be open for testing, but that is no longer possible as the organization will control only a few, if any of those layers. Transitioning critical web applications to the cloud requires special attention to security, especially where organizations must trust cloud vendors with their data.
Shared Data Security
In the cloud everything is data. Servers used to be physical hardware, but now that hardware is virtualized. Cloud vendors have the responsibility to ensure that their data centers are secure and hence the cloud platform will have its own security controls such as firewalls, data encryption software, administrative controls, security audits. However, we are moving into an age of shared responsibility. The customer has to decide what kind of security measures they are willing take. Before any real attack vectors can be tested, the IT team needs to recognize what layers they own or interact with in the cloud service. This will enable them to determine the areas that need to be tested and the nature of the tests that need to be run.
Some of these issues can be addressed with the emergence of automated web application vulnerability scanners. The first thing that needs to be done is find out what are the vendor policies regarding resource scanning. For instance, Amazon requires their customers to submit aform requesting authorization for pen testing and scanning of resources.
Here is a list of commercially availablescanners that will run a variety of tests to check for vulnerability on the host. They look for security vulnerabilities such as cross-site scripting, SQL injection, command execution, directory traversal and insecure server configuration. They also use ‘authenticated scans’ on the hosts to detect vulnerabilities. The automated scanner would log in to the host as an authenticated user and execute a set of commands and report vulnerabilities. It is however hard if not impossible for an automated scanner to test all the aspects of the web application i.e. Access control, Developer’s cookie tampering, session management, data validation testing, File or unauthorized URL are some ways functionality, data or both can be compromised. Business logic vulnerabilities is another area that needs to be looked at when planning for a penetration test.
Choosing a Scanner
Choosing the right tool will help you find holes in your network/application before someone else does. When looking for a cloud penetration testing tool::
- Find a tool which does not take a lot of resources on installation and configuration (for e.g. having it on the cloud).
- The scan results are accurate can be easily readable.
- The tool should work with your software development life cycle (SDLC).
- Make sure they have a good support group to answer your queries and concerns.
These tools will help you increase your test coverage and give your customers confidence in your product.