Cloud Services Penetration Testing
Highly trained and certified penetration testing team
Proven penetration testing methodology
Includes retest option to validate your fix actions
Clear & concise reports with prioritized, actionable items
Hedgehog has extensive experience in working with all major cloud service providers. Shared services have become extremely common, and organisations are leveraging cloud services with increasing frequency. As a consequence, Hedgehog delivers cloud service testing and technical assurance as a core part of its penetration testing offerings.
Why is Cloud Service Penetration Testing necessary?
As we continue to see more services migrating to the cloud, the need for Cloud security testing increases. We deliver Cloud based penetration testing for Cloud service providers as well for the clients that use these services.
Whether it is Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (Saas), Hedgehog's team of security experts are versed in all the major cloud based platforms and environments.
Cloud Service Providers Hedgehog work with
Hedgehog has had experience is testing many of the larger Cloud based environments including Amazon's EC2 environment, Rackspace Managed Cloud and Microsoft's Azure platform. In addition, the methodologies and approaches gained within these environments gives us the insight in to how to test other cloud based services.
Similarly, for software houses and development companies that are publishing their applications in to the cloud, Hedgehog has a range of services that provide system assurance for these offerings.
Types of vulnerabilities frequently identified in cloud environments
Cloud service testing is used to deliver assurance against the build and configuration of the service providers environment. Cloud services can be made just as secure as on premise services, however through inadequate configuration, it is common to see administrative UI's management features available online.
The types of issues Hedgehog frequently see include:
Administrative UI's available, (Including Hypervisor and OS interfaces)
Abandoned Storage Blobs
Poor firewalling logic making other non-core services available online
Hedgehog has an intricate understanding of many of the shared technologies are implemented to deliver cloud based services. In addition to this, Hedgehog has extensive experience in identifying some of the vulnerabilities that can be created by these types of environments. As a consequence of this, Hedgehog is able to deliver highly effective testing strategies for all types of public and private cloud infrastructures.
Hedgehog has a defined security testing methodology that applies to testing IaaS, PaaS and SaaS environment. This methodology combines many of the steps found in our standard penetration testing methodology with our web application security testing methodology.
Penetration Test Report
The Penetration Test Report includes the URLs and IP addresses tested, reconnaissance (discovery) information, vulnerabilities discovered, steps taken during the assessment, exploitable areas, and prioritized recommendations. For any systems we are able to exploit, an Issue Detail section is used to discuss step-by-step the process we used to gain access, escalate privileges, etc.
Penetration Test Report Findings Review
We schedule either an in-person or online session with you where we walk through the report with your team and answer any questions about the findings, our methods, or the steps required for remediation. Many competitors deliver a confusing lengthy report at the end of the engagement for you to decipher. Our penetration test report review adds tremendous value because we can clarify findings and remediation steps.
How do you know the steps you took to fix our penetration test report findings actually worked? Validation removes the guesswork. When you're ready, after fixing the issues identified in the penetration test report, we offer a free re-test of those identified vulnerabilities. This is a crucial and often overlooked step in this process. Validating security controls, patches, and other fix actions is extremely important. We have discovered numerous organisations that thought they fixed a finding we identified, only to discover after a retest that the finding was still there.
Certificate of Attestation
The attestation letter serves as record of us performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your organization, to show proof that a security assessment was performed and to highlight test results.
This Team Leader driven penetration test against your cloud services follows the PTES and OWASP testing guidelines and is conducted by CREST registered testers. It is designed specifically for penetration testing cloud based services, including Amazon AWS and Microsoft Azure application deployments. We will identify and validate potential vulnerabilities in your cloud infrastructure and applications and provide recommendations for improving your security posture.