Penetration testing is an IT security practice designed to identify -- and address -- any vulnerabilities a hacker could exploit. And just as they would with a traditional data center, many IT shops perform penetration tests on their public cloud environments. Whether testing for AWS, Google or Microsoft Azure clouds, here are some best practices to formulate a penetration testing plan for public cloud.
First, since penetration testing looks a lot like an attack, it is important to coordinate with cloud providers before performing such tests.
Next, create an inventory of what to test, including servers, endpoints, applications, Web services and persistent data stores. You can conduct penetration tests using a tool like Metasploit or a third-party service such as Tinfoil Security's security scanning tool. But in either case, you need a well-defined list of components to test.
Then, determine which security tests to perform. The Open Web Application Security Project (OWASP) maintains a list of their top 10 security vulnerabilities in Web applications. This is a good starting point, and is considered the minimal set of vulnerabilities for which organizations should test. The list includes injection attacks, broken session management and authentication, cross site scripting and security misconfiguration.
Be sure to test all points of potential attack. You might expect customers to always use the Web interface you have provided, but attackers can exploit Web services or database servers directly. Test all public-facing access points in your application stack, including API functions and application interfaces.
If you have the time and resources, also test services that should not be accessible from the Internet. For example, you might configure your database server to accept connections only from your application server. Someone might think the database is inaccessible from the Web, and therefore protected, but that is not necessarily true.
Security controls can fail. If the application server has access to the database server and is compromised, attackers can use the application server as a host for an attack on the database server. Without compromising needed functionality, harden the security of your database server as much as possible. Follow defense in depth practices and put multiple controls in place to protect data and system resources. Database server security shouldn't depend on a well-secured application server.
Lastly, remember that not all attacks will originate from outside your organization. An insider may have legitimate access to a number of systems that can be exploited for malicious purposes. Review logs to determine if you are capturing sufficient information to respond to an actual attack. Also, test the capabilities of security information and event management software. Make sure alerts are generated as expected, and present security testing data in a way that allows experts to quickly determine the cause of the alerts.
Cloud governance strategies to prevent attacks
How to decide which security test to use
Test your public cloud for weaknesses
Best practices to test your SaaS cloud
How to use the free penetration testing framework, BeEF