robybret - Fotolia
Running applications in the cloud gives IT teams access to security controls from the cloud provider, such as data center security and hypervisor patching. But cloud provider security tools only go so far. Enterprises still need to assess server and application configurations. Basic penetration testing and vulnerability scanning give IT pros additional insights into cloud applications.
Penetration testing is a well-established security practice for identifying system vulnerabilities. Full penetration testing can range from physical testing -- tests to determine the physical security of the premises -- to application vulnerability scanning.
For cloud application security testing in Amazon Web Services (AWS), IT pros must create a plan, establish a time frame, select a testing tool and notify AWS. It's vital to contact AWS before performing any type of cloud application security testing or penetration testing. Because of the nature of these tests, AWS could mistake them for an actual attacker. AWS provides a list of guidelines and restrictions for security testing.
Performing an AWS vulnerability test
Let's look at security testing using commonly available tools, such as vulnerability scanning tools, password-cracking tools and fuzz-testing tools for injection attacks. The first step is to set the scope and plan the penetration test.
This is especially important when working with a cloud provider -- it needs to know what you plan to do and when you plan to do it. Identify IP addresses of devices you will test, detail how you will document results of each step and explain how you will proceed after results are in. For example, if you decide to use a password-generation tool and can access an account with it, what will the tester do? Should the tester log out and document the access or should they attempt other actions like file access to data manipulation?
Determine which Web applications will be scanned. Additionally, decide if testers will receive documentation; this may help speed the process and provide insights into potential application vulnerabilities. Finally, determine what types of tests to run, such as credential hacking and fuzz testing.
Cloud admins must also decide which type of cloud application security test or vulnerability scanning to perform. Port scanning is a basic process to identify ports on the network and determine see if any ports are open. Basic port scans typically use transmission control protocol, user-datagram protocol and related IP protocols. You can use service protocols such as HTTP or database-specific ones to collect more details about services running on a server. For example, some services provide application-name-version information in the response; this is known as banner grabbing.
Vulnerability and application scanners
Vulnerability scanners use database information from certain services to look up known vulnerabilities. Useful databases include the National Vulnerability Database and the Common Vulnerabilities and Exposures database.
Application scanning identifies weaknesses within applications. Starting with an application's URL, application scanners crawl all available links and build a catalog of pages and page properties. If a page accepts input, admins might want to apply fuzz tests to see if any of the code is vulnerable to injection attacks.
Hosting application in AWS gives companies access to several tools, including a few for securing applications. However, in-house penetration testing may be more valuable than contracted security consultants. And it's an important step in hardening AWS applications from outside attacks.
About the author
Dan Sullivan holds a Master of Science degree and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.