28 August, 2019
Vulnerability Assessment & Pen Testing in AWS for SOC 2
Many organizations have now started considering security as an essential factor while choosing a vendor. This shift has led to a surge in service providers opting for SOC 2 compliance to demonstrate that they have implemented an adequate level of security controls, and an authorized third party has audited these controls.
SOC, or the System Organization Control, prescribes five trust service principles (TSPs) – security, availability, confidentiality, privacy, and processing integrity. There are two types of audits – SOC 2 Type I audit and SOC 2 Type II audit. The Type I audit tests the controls that are placed in operation at a specific point of time to meet the criteria set by the TSPs. An auditor look at how an organization describes its systems and controls, along with internal documentation provided for supporting the implementation. The Type II audit tests the operating effectiveness of the security controls over a period of time – at least six consecutive months. Here in this audit, an auditor intends to check whether the implemented controls are functioning as described by the organization or not.
SOC 2 audit reports can cater to a wide range of audience that needs an independent assessment of their prospective vendor’s security maturity. SaaS service providers are increasingly relying on the AWS infrastructure to provide their services. Specifically, in SOC 2 Type II audit, vulnerability assessment and penetration tests are conducted to measure the operational effectiveness of security controls. Our security experts have designed a step-by-step process to partner with SaaS providers to quickly detect, address, and remediate the vulnerabilities in their technical infrastructure while ensuring that these exercises do not violate the AWS terms of service.
It must be noted that before beginning any security–related activity on an organization’s cloud environment hosted on the AWS, the procedure as agreed in the AWS terms of service such as submitting a request form, getting approval, etc. must be followed.
Step 1: Architecture Review
BreachLock partners with organizations to ensure that they comply with the requirements of HIPAA, NIST, PCI DSS, GDPR, SOC 2, etc. In the first step, our experts review an organization’s technical infrastructure to understand its current risk posture. They ensure that TSPs are appropriately implemented so that the cloud environment is robust and secure enough to meet the business, security, and legal requirements for a SaaS organization. They also check for security issues commonly found in AWS-based applications. Various components of an architecture review are as follows –
- Access Control and Management (checking privilege level, VPN connections, SSH connections, RDP, etc.)
- Segmentation of the cloud environment using ELBs (Elastic Load Balancers) for public-facing sites, separate subnets for database-related services, and private subnets for web servers.
- Encryption during transmission as well as at rest (reviewing TLS termination endpoints and encryption of database fields)
- Continuous monitoring configuration
- Supporting architecture for redundancy
- Fault Tolerance
This step is followed by an overall internal vulnerability scan and an external penetration test of the hosting environment.
Step 2: Vulnerability Scan
The internal vulnerability scan is performed using the BreachLock cloud platform along with other prominent tools to ensure that all the bases are covered. On the BreachLock platform, findings with their CVE number matched against specific standards are shown. They are classified based on various risk levels, such as Critical, High, Medium, Low, and Info. As a best practice, we recommend our clients immediately address the findings with Critical, High, and Medium risk while preparing a plan to address the low–risk findings in a given period.
Step 3: Penetration Test
An external penetration test is conducted by our security team for identifying vulnerabilities in the publically exposed web application for a SaaS organization. This test can be authenticated as well as non-authenticated. The focus remains on finding the possible issues that can disrupt the operations such as SQLi, XSS, click-jacking, session hijacking, etc. Our security experts use a wide range of tools alongside the BreachLock cloud platform to perform a penetration test. Moreover, the progress of a penetration test can be tracked on the BreachLock platform itself.
Step 4: Remediation & Certification
After the initial architecture review is conducted, followed by vulnerability scanning and penetration testing exercises, we provide a detailed report covering the results and their descriptions. These exercises are conducted again after an organization has addressed the findings given in the report. After it is verified that the findings have been remediated, we generate a security certificate as well as a security certificate.