This article is a part of the SearchCloudSecurity.com AWS security and Amazon EC2 security tutorial
Core Security Technologies, a Boston-based provider of security testing software, this week introduced a penetration testing service that companies can use to assess the security of their Amazon Web Services environments.
Called Core CloudInspect, the on demand pen testing service gives AWS customers an automated way to evaluate their AWS-hosted instances and Web applications for security. Offered via the SaaS model, the service is based on methods Core Security has developed to emulate hacker behavior in its software.
“We built it as a service, knowing people buying cloud services aren’t necessarily security experts,” said Kim Legelis, vice president of marketing at Core Security. “They have concerns around security and want a simple way to validate the security of their instances or Web applications in the cloud.”
To use the service for AWS security, companies log into Core CloudInspect, authenticate their AWS deployment, and choose which instances they want to test. Legelis said the AWS authentication keys that give customers access to their instances are shared with Core on a read- only basis. Back-end integration between Core’s service and AWS allows Core to present the user with a list of his or her AWS instances to choose from for testing.
Thousands of exploits are launched to test the instances to produce a set of reports that provide the customers with either a list of issues to remediate or confirmation of security, Legelis said. The cost is $20 per test per instance or Web application. For a limited time, Core Security is offering three free tests per month.
The service automates what is a cumbersome process, Legelis said. Without it, customers need to get special permission from Amazon to conduct pen testing against their instances and hire someone capable of conducting the pen tests, she said. “All that manual activity is eliminated through our integration with AWS,” she added.
Dave Shackleford, a founder and principal consultant with Voodoo Security and a certified SANS instructor, said the need for security services and products that can operate in Amazon’s cloud is growing as more organizations move resources into it.
“Core's CloudInspect is a great way for security teams to perform safe, effective AWS penetration tests with Amazon's blessing since the impact to multitenant platforms is reduced,” he wrote in an email. “The service really streamlines the process for coordinating, scheduling and performing the tests.”
He added that Core has a good reputation in professional pen testing, making the service attractive to AWS customers who need vulnerability assessments in the cloud.