In recent years, there has been a growing trend in the number of applications that take advantage of the benefits offered by cloud-based infrastructures.
Concepts like IaaS, SaaS or PaaS are part of the standard language of a generation of applications that benefit from the capacity, power and scalability of third-party services such as AWS or Azure.
At Tarlogic, we are aware of this trend and we know our customers need to guarantee the security of the assets that can make use of these environments. Our cloud security audits safeguard the security of these tools.
The benefits that cloud security audits can bring include:
Detection of bad practices related to different misconfigurations and implementations on cloud services.
Detection of problems arising from the use of authentication APIs and tokens from third-party services.
Identification of authorisation vulnerabilities related to an incorrect management of roles, permissions and privileges (IAM).
Vulnerabilities related to insecure APIs.
Security assessment of cloud-based storage buckets.
Detection of vulnerabilities by exploiting lambda functions and stateless processes.
Identification of exposed services and their possible insecure configurations in serverless environments.
The cloud security audits on cloud-based applications require a different approach compared to regular audits. On the one hand, third-party cloud-based infrastructures usually apply measures by default that cover certain aspects of security. However, the large number of possible configurations available in the management consoles of these platforms open the door to vulnerabilities that can unwittingly lead to a major breach of the managed information. Likewise, these applications are not free from problems related to incorrect programming practices of their business logic, inadequate management of authentication tokens and access policies, and injections that can affect the particularities of the elements that make up their particular architecture.
At Tarlogic we evaluate the security of all these elements, by analysing the specific components of the cloud architecture used in each case, and we carry out a methodology with tools and manual tests to detect possible vulnerabilities.