Cloud Penetration Testing
Cloud penetration testing, such as AWS pen testing or Azure pen testing has some key differences when compared to a normal infrastructure penetration test. Cloud providers often have their own API infrastructure for scaling apps and a number of API keys associated with them. This allows an attacker new scope for vulnerabilities that could be exploited to gain access to servers and infrastructure. Our experts can test all cloud infrastructure including AWS, Azure, Google Cloud, Digitalocean as well as any other cloud infrastructure.
Cloud testing methodology
A cloud penetration test can cover a variety of components within a cloud environment. Each type of system requires its own approach, techniques, and methodology. For example. S3 buckets are checked for correct privileges. Servers are checked for known vulnerabilities and applications hosted on them are tested for things such as SQL injection, code injection, and a number of different vulnerabilities. The Architecture of the cloud infrastructure is tested, looking for connectivity between services and vulnerabilities that can be exploited for greater privileges.
What are the risks?
Cloud infrastructure can be some of the most complex in an organisation, and this kind of complexity allows attackers to take advantage of overlooked vulnerabilities. Much of the cloud infrastructure we test consists of multiple layers and systems which can each have their own vulnerabilities, and one of these systems being compromised can lead to a cascade allowing an attacker to compromise all the systems in the infrastructure due to them being connected.
Hackers can have an easier time attacking cloud infrastructure because of its complexity and interconnectedness which allows them to take advantage of an attack surface that would not have previously been available.
How we can help
Our expert testers are experienced in all kinds of cloud infrastructure, both development and attacking. This gives us a unique advantage when it comes to testing cloud infrastructure, we can take advantage of the cloud’s inbuilt features to ensure that it is safe and secure. We ensure our reports are clear and concise, allowing technical staff to get a better understanding of the issues, and our remediation is architecture and provider-specific meaning you always get the best possible solutions.
The Sencode Way
Contact a member of our consulting team either by phone, email or pidgeon post. We will then discuss whether we can help you and arrange a scoping meeting to discuss your requirements.
Scoping & Proposal
In the scoping meeting our expert consultants will discuss and finalise which digital assets you need testing. We will then put together a project proposal and quote based on the requirements and agree on a schedule for conducting the security assessment.
The testing starts. A member of our penetration testing team will liase with a member of your company throughout the entire testing process. If we have any questions or concerns, you will be the first to know.
Report & Remediate
A penetration test is useless without a well written report. Our reports are written in plain english, concise and thoroughly documented. Each report will detail an executive summary, risk ratings, a business risk summary and all of the issues we found throughout the engagement.
Frequently Asked Questions
Similar to a normal infrastructure penetration test. Cloud penetration testing is used to examine a cloud system’s strengths and vulnerabilities in order to enhance its overall security posture. The exception being the infrastructure is situated in a cloud environment and not on-premise. AWS, Microsoft Azure, and Google Cloud Platform are examples of common cloud infrastructure.
Organisations can use cloud penetration testing to improve the security of their cloud infrastructure, avoid large-scale data breaches, and achieve compliance.
All types of penetration testing differ in methodology and price. There are a number of factors that go into setting a price for a penetration test, including expenses for the tester and the types of asset being tested. A smaller application will take considerably less time than a large, complex commercial application. We aim to make our pricing as flexible as possible. Sencode will provide our best judgement via accurately scoping your digital assets and making a determination based off experience testing similar scale assets. Once we have accurately scoped your project, we can provide a project proposal and a quote which will be costed properly.
Example 1: A medium sized finance web application comprised of 35 unique pages with user and case management. 5 days of penetration testing. £3000-£4000
Example 2: An external infrastructure penetration test comprised of 10 unique IP addresses. 2 days of penetration testing. £1000-£2000
Example 3: An internal penetration test on 80 IP addresses, 7 days of penetration testing. £5500 – £6500
These prices are variable based upon Number of IP Addresses, Retesting requirements, After-hours Testing and skills required to conduct the engagement
Get a free, no obligation quote from one of our expert staff.