Penetration testing against cloud deployments can be a very contentious issue with some companies, but with many of the verticals that I work it’s a necessary evil - whether you are deploying IaaS components or PaaS, buying a SaaS platform or a mixture, it’s highly likely your project is going to need to look at some form of security assurance.

But the problem will come … what is enough? And what is the standard you will employ?

That question will normally be driven by the organisation you are in - but I often find myself in companies that are cloud immature - even if they have already adopted several SaaS platforms already (usually by accident), or have started on their first major Azure build, they still are likely to be rolling out their cloud frameworks and policies and need guidance.

There are multiple different standards when it comes to applying Pen Testing to an Azure, or basically any cloud, deployment - but the key thing is WHAT you are deploying to assess HOW you need to test it.

When to use CVSS vs CIS vs Microsoft vs piece of string ?

There really is no “one size fits all” and you need to consider what you are applying the test against and what the goal is. But here is my own starter for ten.

SaaS

If you are looking at a SaaS app, and assuming you already have permission to test, you should start with your standard fuzzing style test, OWASP etc. Make sure its externally secure. Score against CVSS. And ensure that you request the vendors full testing - don’t be put off with just the summary document (they usually love to just give you the executive summary, which honestly, gives you basically nothing and can hide so much) you want to get some decent amount of detail. You don’t need the full test, but you do need a list of the findings, how and when they were fixed or mitigated.

Cloud IaaS

IaaS deployments onto the cloud should be, ultimately, secured in the same way that you would deploy servers and infrastructure in any other way - you are basically just deploying servers and infrastructure onto someone else’s tin. That is all. You still need to worry about securing the networks, the server’s and the applications you deploy on them. So this means consider firewalls, transport rules and so on.

Your testing therefore will likely comprise both CVSS and something like CIS benchmark testing. This will cover the physical component (i.e. server build) aspect, but also the cloud specific elements that are covered under something like CIS benchmark which can be missed when just assessing under CVSS style testing.

Cloud PaaS

When deploying a PaaS, you don’t have much to test - you are reducing it to the amount you must consider to essentially just a CIS benchmark, or Microsoft benchmark required. You might consider doing a code review, or security test of any code that is operating - for example - in any Function Apps to ensure they are secure.

Configuration Reviews

Working with the cloud is a little different to working with on-premises platforms; you have automated benchmarking tooling such as the Microsoft Cloud Defender assessments, Microsoft Benchmarks, CIS Benchmarks and so on. These can all be used to ensure (or try and highlight) anything that is materially wrong, or insecure, and protect you as far as possible. You should always be paying attention to these, and not always relying on third party penetrating testing partners to identify vulnerabilities. These reports should be your go-to during development and BAU to ensure that your deployments continue to be secure, and you aggressively remediate findings where they are identified.

You can associate multiple regulatory compliance policies to your subscriptions in Azure, such as CIS, PCI and so on to assist in specific focussed security issues to ensure you comply with regulatory conditions - which will help you for attesting things like SS 2/21 for the PRA, etc.

References

Microsoft Pen Testing Guidelines