Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Download Publication

Cloud Penetration Testing Playbook
Cloud Penetration Testing Playbook

Cloud Penetration Testing Playbook

Release Date: 07/12/2019

Working Groups: Top Threats Data Security

As cloud services continue to enable new technologies and see massive adoption there is a need to extend the scope of penetration testing into public cloud systems and components. The process described here aims to provide the foundation for a public cloud penetration testing methodology and is designed for current and future technologies that are hosted on public cloud environments or services. In particular, this document focuses on penetration testing of applications and services hosted in the cloud. It addresses the methodological and knowledge gaps in security testing of information systems and applications in public cloud environments.

This work focuses on testing systems and services hosted in public cloud environments. This refers to customer-controlled or customer-managed systems and services. For example, a custom virtual machine, managed and controlled by the cloud customer, in an IaaS environment would be in-scope whereas the hypervisor of an IaaS environment that is controlled by the cloud service provider isn’t. As for testing hybrid clouds, this document does not cover the hybrid interface and on-premises environment.
Download this Resource

Prefer to access this resource without an account? Download it now.

Bookmark
Share
View translations
Related resources
The Six Pillars of DevSecOps: Measure, Monitor, Report, and Action
The Six Pillars of DevSecOps: Measure, Monitor,...
Cloud Controls Matrix and CAIQ v4
Cloud Controls Matrix and CAIQ v4
HSM-as-a-Service Use Cases, Considerations, and Best Practices
HSM-as-a-Service Use Cases, Considerations, and...
Exploring Syscall Evasion – Linux Shell Built-ins
Exploring Syscall Evasion – Linux Shell Built-ins
Published: 05/20/2024
Two Effective Strategies to Reduce Critical Vulnerabilities in Applications
Two Effective Strategies to Reduce Critical Vulnerabilities in Appl...
Published: 05/20/2024
Navigating Cloud Security Best Practices: A Strategic Guide
Navigating Cloud Security Best Practices: A Strategic Guide
Published: 05/15/2024
How to Design an IT Service Model for End User Happiness
How to Design an IT Service Model for End User Happiness
Published: 05/15/2024

Acknowledgements

Michael Roza
Michael Roza
Risk, Audit, Control and Compliance Professional

Michael Roza

Risk, Audit, Control and Compliance Professional

Since 2012 Michael has contributed to over 100 CSA projects completed by CSA's Internet of Things, Zero Trust/Software-Defined Perimeter, Top Threats, Cloud Control Matrix, Containers/Microservices, DevSecOps, and other working groups. He has also served as co-chair of CSA's Enterprise Architecture, Top Threats, and Security-as-a-Service working groups while also serving as the Standards Liaison Officer for IoT, ICS, EA, SECaaS, and Cloud K...

Read more

Victor Chin Headshot Missing
Victor Chin

Victor Chin

Jon-Michael Brook
Jon-Michael Brook

Jon-Michael Brook

Jon-Michael C. Brook is a certified, 25-year practitioner of cybersecurity, cloud, and privacy. He is the principal contributor to certification sites for privacy and cloud security, and has published books on privacy. Jon-Michael received numerous awards and recognition during his time with Raytheon, Northrop Grumman, Symantec, and Starbucks. He holds patents and trade secrets in intrusion detection, GUI design, and semantic data redaction...

Read more

Greg Jensen Headshot Missing
Greg Jensen

Greg Jensen

Asaf Hecht Headshot Missing
Asaf Hecht

Asaf Hecht

Shlomi Ohayon Headshot Missing
Shlomi Ohayon

Shlomi Ohayon

Chris Farris Headshot Missing
Chris Farris

Chris Farris

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Related Certificates & Training