Cloud Security Testing
We offer full penetration testing and build reviews of cloud based applications and infrastructure hosting.
With many organisations either migrating existing server farms or designing new systems that are hosted within the Cloud, it is essential to ensure that these are securely configured and do not expose any security risks to the Internet.
Cloud testing is penetration testing or vulnerability assessments of applications, infrastructure or the portal configuration of systems that are hosted within Cloud providers such as:
- Microsoft Azure
- Microsoft Hyper-V
- Amazon AWS
- Skyscape (UK Cloud)
Servers or applications that have been incorrectly configured when installed or after migration to Cloud hosting providers may be exposing services or vulnerabilities to the Internet.
Cloud penetration testing or vulnerability assessments can provide assurance that the systems and security controls tested have been configured in accordance with best security practice and that there are no common or publicly known vulnerabilities in the target system at the time of the test. If vulnerabilities are found these can be rectified before an attack or security breach occurs.
Testing will enable you to:
- Manage vulnerabilities
- Avoid introducing new issues when migrating to Cloud environments
- Avoid extra cost and reputation damage from a security breach
- Provide evidence of compliance with regulatory and certification standards
- Provide assurance to customers and suppliers that their data is secure
We can offer the following cyber security testing services for any systems or devices that are hosted within Cloud providers:
- Application penetration testing
- Internal (within the Cloud) vulnerability assessments and penetration testing
- Server build reviews
- Network device and firewall rule reviews
- Cloud portal configuration review
- External vulnerability and penetration testing for exposed services to the Internet
Armadillo Sec are a CREST certified testing body and we are accredited to operate as a CHECK service provider. All of our testers are certified by CREST and our senior consultants are certified by CREST to the highest CCT Level. Our testers are also CHECK Team Leaders (CTL’s) or CHECK Team Members (CTM’s) and are approved to conduct government CHECK testing.
Our team have many years experience conducting a broad range of government and commercial tests and always aim to go the extra mile for our customers.
Frequently Asked Questions
Yes. Approval must be granted by the Cloud hosting provider before any security testing can be conducted.
We can assist you with the required approvals and testing procedures. We have created a set of guides outlining the required approval process for each vendor.
We have created a set of virtual images that contain all of the required tools to test within Cloud environments. For example, we can quickly and easily create a Virtual Machine for you for Amazon AWS or provide a OVA/OVF file which can be uploaded with all our tools pre-loaded and as a result there are no delays in testing.
We then connect into the testing Virtual Machine and assess the systems or applications within your Cloud hosting.
All our testers are certified by CREST and our senior consultants are certified by CREST to the highest CCT level.
|CREST Certifications||Certified Testers|
|Practitioner Security Analysts||Yes|
|Registered Penetration Testers||Yes|
|Certified Web Application Testers||Yes|
|Certified Infrastructure Testers||Yes|
Our CREST member status can be viewed, along with the certified tester types we have on the below link:
Our testers are also CHECK Team Leaders (CTL's) or CHECK Team Members (CTM's) and are approved to conduct government CHECK testing.
|CHECK Status||Certified Testers|
|CHECK Team Member (CTM)||Yes|
|CHECK Team Leader (CTL) - Infrastructure||Yes|
|CHECK Team Leader (CTL) - Applications||Yes|
Our CHECK status can be viewed on the below link:
It is recommended that testing should be conducted annually as cyber threats are constantly evolving.
If major changes are made to the infrastructure or new applications are developed, then it is recommended that additional testing is conducted. This ensures that any recent changes are not introducing new vulnerabilities into the environment.
Some certifications such as ISO 27001 or PCI DSS, require a certain frequency of testing to remain compliant.
Penetration testing is bespoke depending on the goal or outcome you wish to achieve, therefore there is not an off-the-shelf price for a penetration test.
For each project we will technically scope your requirements and establish the time needed to complete the work. We will then provide a detailed proposal and breakdown of costs and options.
We supply a full penetration testing or vulnerability assessment report for Cloud testing, which covers the following:
- Executive management summary - Non technical overview of issues for management board level
- Detailed technical findings - A complete list of all issues identified
- Affected hosts - A list of all hosts affected, including the associated network port
- Risk level - Impact, likelihood and overall risk ratings are listed for each issue
- Examples - Output or screenshots to demonstrate the issue
- Recommendations - Recommendations of how to remediate the issues, including any reference to documents that can assist
A sample report can be supplied upon request.
We have a full methodology for all testing services we provide, which is supplied with each project proposal. This outlines the testing steps and all the requirements in order to deliver the test.
All of our application testing methodology aligns to the OWASP top 10 standard, which is the industry standard for application security.