What is a Cloud Service/Platform?
Cloud computing is the on-demand availability of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the user. It contrasts specifically to other hosting/service provision models such as colocation (in which companies place their servers and network equipment in a rented space within a third-party managed data center environment) and on-premise self-hosting (the classic private data infrastructure used within and directly managed by companies themselves) compute/hosting arrangements.
Large clouds often have functions distributed over multiple locations, each location being a data center. Cloud computing relies on sharing of resources to achieve economies of scale, typically using a "pay-as-you-go" model which can help in reducing capital expenditure.
Examples include Amazon AWS (including EC2), Microsoft Azure and Google Cloud Platform (GCP).
What is required from a technical perspective in order for AppCheck to scan a Cloud Service or Platform?
AppCheck is able to scan cloud-based web services where they are presented on a public IP address over the public internet. In order to scan the serving infrastructure, or any web services that are exposed only within a private cloud or VPC, it would typically be necessary for customers to deploy an AppCheck internal scan hub within their private cloud estate.
For further information on internal hubs see:
- https://appcheck.zendesk.com/hc/en-us/articles/115002560549-What-are-AppCheck-s-internal-scan-hubs-and-how-do-they-work-
- https://appcheck.zendesk.com/hc/en-us/articles/115003281525-Deploying-an-internal-hub-on-Azure
Are there any legal or contractual limitations with scanning cloud-hosted web services?
In addition to technical requirements for scanning cloud-based platforms like Azure, there are also terms and conditions set by the platform providers, which are outlined below.
Please note: Information contained in this article refers (and links) to conditions set by cloud platform providers including Amazon and Microsoft. These are correct at time of writing but are not controlled by AppCheck so could change without notice. As a user it is your responsibility to confirm you are adhering to the latest rules from your platform providers. This is not only a part of your agreement with providers like Microsoft and Amazon, but also your agreement as a customer of AppCheck as per our acceptable usage policy: https://scanner.appcheck-ng.com/assets/acceptable_use_policy.pdf
Additionally, for an article covering broader concerns, please see our knowledgebase article:
What are Amazon's terms of service and conditions for scanning applications in AWS / EC2?
Before scanning your Application on Amazon's AWS / EC2 platform please review their policy as outlined here: https://aws.amazon.com/security/penetration-testing/
You may find the below information helpful when planning a test in AWS:
Scanning IP addresses (Source)
Scanning traffic can come from any of our scanning hubs, which are in the IP ranges specified here: AppCheck's IP Range
Total Bandwidth (Please provide expected Gbps)
Scanning traffic usually comes entirely from one scanning hub at a time, and therefore the maximum expected traffic will be 1Gbps. Usually the throughput will be much smaller, but this depends heavily on the application itself.
Instances excluded from scanning
AWS exclude t1.micro, m1.small, t3.nano and t2.nano from being scanned so please make sure you provision an instance large enough to not fall foul of this.
Test types prohibited by Amazon
The following activities are prohibited at this time:
o DNS zone walking via Amazon Route 53 Hosted Zones
o Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
o Port flooding
o Protocol flooding
o Request flooding (login request flooding, API request flooding)
Standard AppCheck scans do not perform any of this behaviour.
What are Microsoft's terms of service and conditions for scanning applications in Azure?
Microsoft Azure Pre-Authorisation for Testing
Microsoft no longer require pre-approval to conduct pen-testing of Azure (see statement at https://docs.microsoft.com/en-us/azure/security/fundamentals/pen-testing). However, users must still comply with their rules of engagement.
Microsoft Azure Rules of Engagement
Microsoft's Rules of Engagement for Azure are posted at https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement.
The following lists Microsoft's prohibited actions (at time of writing), and describes how this applies to AppCheck scanning:
Comments
0 comments
Please sign in to leave a comment.