Cloud Security Audits
The more businesses move to the cloud, the more threats will grow. Seeming that the cloud supports the main infrastructure of your business, it is of utmost importance to ensure all of your data is secured. Just like you would have regular check-ups with your physician.
Approach And Methodology
Our Cloud Security Audits comprise of 2 main security concepts: Penetration Testing and Vulnerability Testing.
- Penetration testing involves assuming the role of a cyber attacker with the intent of breaking in and gaining access by means of exploiting system vulnerabilities and technical oversights in the implementation.
- A vulnerability assessment aims to identify any security weaknesses in a system that is commonly known and exploited. During an assessment, methodologies similar to penetration tests are employed with a clear focus on finding known vulnerabilities.
Deimos performs automated security testing as well as manual testing as part of all its security packages. Performing an automated security assessment first allows the team to catch all low-hanging fruit, before focusing on more complex attack vectors. Most often, the real value comes from manual testing.
For automated security testing, our team uses a combination of OWASP ZAP and Google Web Security Scanner.
Below are various steps performed as part of a Cloud Security Audit:
- Inspect Application
- Run Automated Scans
- Review Scan Results
- Perform Manual Testing
- Review Test Results
- Compile Findings into a Security Audit Report
- Review the Security Audit Report with you, the client
Below are only a few steps we take during our assessment:
- During our security assessment, we review your application and infrastructure architecture, focussing on the security posture. Ensuring that you Identity and Access Management is configured appropriately, Cloud Audit Logs are enabled and that you are gaining the most from your Security Command Center.
- We spend time in your application architecture, reviewing your code and architecture against industry standard benchmarks such as CIS, and OWASP.
- We ensure Secrets are appropriately managed via Secret Manager, Security events are captured in a platform such as Chronicle.
- We review your resource hierarchy, network structure (segmentation and security), key management and logging.
- We assess your software supply chain using frameworks like SLSA.
Key Deliverables from a Cloud Security Audit
At the end of each assessment, Deimos will share a password protected report outlining each vulnerability, it’s severity, evidence of the existence of the vulnerability, the risks associated with it and recommendations on how to address it.
Deimos will also schedule a workshop with the Deimos Security team to discuss the findings and recommendations in more detail.
Deimos can offer the services of it’s Software Architects, Security Engineers and Software engineers to assist with fixing the issues outlined in the report. This will be done on a time and material basis.
For a more in depth look at how we conduct a cloud security audit, please download an example assessment report below!
Our pricing is based around the amount of hours of work we do, which is dependent on your system/application size. Please get in touch for a quote.
Small Systems/Applications (40 hours)
A small system, consisting of a handful of components only. A small system can be easily maintained by a single team of engineers.
Medium Systems/Applications (80 hours)
Ideal for systems consisting of multiple components. The medium system often requires 2 – 3 teams to maintain.
Large Systems/Applications (160 hours)
Ideal for a system spanning multiple domains. Large systems are complex and built up of multiple components, technologies, and frameworks. These systems require many teams to maintain and often require a lot of effort to coordinate.
Below we have outlined the steps and process we take in each audit. This will give you an idea of the way in which we work on your system, and with you.
The Security Audit starts off with a project kickoff meeting. This meeting allows us to align on expectations and determine any specific areas you, the client, wants us to focus on. This session is also used to get a good understanding of the business and its use of technology.
The Discovery sessions are used to gain a better understanding of the various systems at play. Discovery sessions are extremely important to any closed-box testing. It provides us with an opportunity to fast-track our understanding of the systems under attack.
This is where the magic happens. During the assessment step, our security and infrastructure engineers perform a review of your systems in the hope of surfacing any security issues and/or concerns.
We compile our findings into a well-written report. We always include recommendations on how to address any issues we raise.
We will review the report together. Our Security Engineers will explain our findings in detail and facilitate any conversations about potential remediations.