FAQ

General

How is Core CloudInspect Different?

Testing Capabilities

Conducting Cloud Security Tests

Giving Core CloudInspect Access to Your Cloud Deployment

Reporting and Results

Security and Privacy

Pricing

Support and Feedback




General

Q: What is Core CloudInspect?

Core CloudInspect is the first and only automated cloud security testing solution to deliver on-demand, real-world intelligence on the security readiness of your AWS deployments, including your machine instances and hosted web applications.

Based on the same network and web application assessment capabilities as Core Security’s proven CORE IMPACT Pro penetration testing solution, CloudInspect makes it easy to frequently assess your AWS deployment against current cyber security threats.

 

Q: What can I do with CloudInspect?

CloudInspect enables you to proactively and safely test the security of your AWS machine instances and web applications against real-world attacks – both to verify your cloud deployment security standing and to identify critical exposures requiring remediation.

With CloudInspect, you can:

  • proactively verify the security of your AWS deployments against real, current attack techniques

  • safely pinpoint and validate critical OS and services vulnerabilities on your machine instances – with no false positives

  • measure the susceptibility of your AWS-hosted web applications to SQL injection, cross-site scripting, and other web application attacks

  • determine whether security controls required by industry and government regulations are in-place and effective

  • get actionable remediation information necessary to apply necessary patches and code fixes

  • certify systems before they go live and frequently test to reconfirm security posture over time

  • evaluate your cloud security standpoint year-round

 

Q: Why should I test the security of my cloud deployments?

Today, it’s essential to proactively identify exposures in your systems and applications before attackers can compromise them to steal sensitive data and disrupt operational processes. What’s more, your cloud deployment’s changing risk posture necessitates repeated testing as you deploy and update instances and applications, as new vulnerabilities are discovered, and as attackers hone their techniques. 

Your company’s reputation, customer trust, intellectual property, sensitive data, and compliance status can depend on your cloud-based infrastructure as much as they do on your in-house IT environment – so security was likely a key consideration when you selected Amazon AWS as your cloud provider.

While Amazon has a robust process for implementing and maintaining host system and virtualization layer security, it’s your responsibility to continuously maintain and test the security of your guest operating systems and applications running on AWS. Ensuring ongoing security in the cloud requires that you not only equip your AWS instances with defensive security controls, but also regularly assess their ability to withstand the latest data breach threats.

Core CloudInspect provides a fast, easy and affordable way to regularly and proactively assess your AWS cloud deployments against attack techniques used in the wild. By using CloudInspect, you not only gain actionable information about critical exposures, but also verify you’re your security controls are in place and working as expected.

 

Q: Isn’t Amazon responsible for the security of my cloud deployments?

You and Amazon share responsibility for the security of your cloud deployment – and Amazon is not responsible for the secure development of your applications. Below is a description of Amazon’s Shared Responsibility security model, excerpted from the Amazon white paper, Amazon Web Services: Overview of Security Processes:

“AWS services operate under a model of shared responsibility between the customer and AWS. AWS relieves customer burden by managing physical infrastructure and those components that enable virtualization. An example of this shared responsibility would be that a customer utilizing Amazon EC2 should expect AWS to operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In this case the customer should assume responsibility and management of, but not limited to, the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services and their integration. It is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of items such as host based firewalls, host based intrusion detection/prevention, encryption and key management.”

 

Q: Where can I find more information about AWS security?

You can learn more about AWS security policies and procedures in the Amazon AWS Security Center.

 

Q: How does CloudInspect help with compliance?

Core CloudInspect both contributes to compliance initiatives calling for proactive security testing, such the PCI Data Security Standard and the FISMA NIST guidelines, and helps to identify whether mandated defensive security controls are in-place and working as expected.

 

Q: How do I get started with CloudInspect?

If you are an Amazon AWS customer with active machine instances or web applications running in your cloud deployment, you can begin using CloudInspect immediately.

To test your AWS cloud deployment, click the green “Test Your Cloud” button on any page on this site.

 

Q: Do I need any special skills to use CloudInspect?

Some IT knowledge is required for the initial CloudInspect account setup process, which includes generating the “describe instance” credentials required for the solution to test your instances and applications.

After the initial setup, no special skills are required to assess your cloud deployment. Initiating a security test with CloudInspect is a straightforward, wizard-driven process where you select target instances, test types, desired in a few easy steps. The security test itself is completely automated.

CloudInspect reports contain information targeted to multiple audiences, offering executive summaries as well as in-depth technical details on any exploitable vulnerabilities identified.

 

Q: What is a penetration test?

A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application weaknesses. Such assessments are useful in validating the efficacy of defensive mechanisms, identifying unpatched exposures, and revealing coding flaws. Penetration testing ultimately helps to verify the ability of your infrastructure to withstand real-world attacks.

Tests are typically performed using manual or automated technologies to systematically compromise servers, web applications and other potential points of exposure. Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation.

Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated and presented to IT and network systems managers to help those professionals make strategic conclusions and prioritize related remediation efforts. The fundamental purpose of penetration testing is to measure the feasibility of systems compromise and evaluate any related consequences such incidents may have on the involved resources or operations.

Penetration testing is  a well-recognized security assessment methodology and proactive security testing is mandated by the PCI Data Security Standard, FISMA NIST, and other legislative and industry regulations concerned with data security.

 

 

top

 

How is Core CloudInspect Different?

 

Q: How is this different from a vulnerability scan?

Vulnerability scanners seek to help organizations garner information regarding potential weaknesses by unearthing every type of weakness they can find, but typically produce such large volumes of data that users of the systems are left with a heavy workload in terms of discerning which vulnerabilities pose tangible risks to their information assets.

By comparison, penetration testing – such as that performed by CloudInspect – offers the most effective manner of rapidly identifying serious points of security exposure by assessing systems and application against real-world attack techniques. By both identifying exposures and proving their exploitability, CoreInspect helps to prioritize remediation efforts and ensure that patching and code-fixing efforts are focused on the most critical areas of need.

 

Q: How is CloudInspect different from CORE IMPACT and CORE INSIGHT?

Core Security’s CORE IMPACT Pro and CORE INSIGHT Enterprise security test and measurement solutions are designed for use primarily in assessing the security of internal IT environments and web applications that are hosted in-house.

Both IMPACT and INSIGHT offer extensive security test and measurement capabilities that can trace paths of exploitable vulnerabilities attackers could leverage to pivot throughout your organization’s infrastructure – across both internal and externally facing systems. Both also offer a range of post-exploitation capabilities that help to reveal what data would be exposed if a system or application were to be compromised.

CloudInspect is designed specifically to test cloud-based machine instances and web applications. CloudInspect uses largely the same exploit library and dynamic web application attack techniques as IMPACT Pro (one exception is CloudInspect does not run denial of service exploits).

CloudInspect is primarily focused on identifying critical, externally exploitable points of exposure to your virtual systems and cloud-based applications. The solution does not currently offer privilege escalation or pivoting capabilities to replicate the actions of an attacker after the initial compromise.

CloudInspect is a completely automated solution that requires almost no setup. It is designed specifically to test cloud-based machine instances and web applications. It also ensures that security assessments fulfill Amazon’s penetration testing policies and follow Amazon’s authorization procedure.

CloudInspect is primarily focused on identifying critical, externally exploitable points of exposure to your virtual systems and cloud-based applications. It uses largely the same exploit library and dynamic web application attack techniques as IMPACT Pro (one exception is CloudInspect does not run denial of service exploits). The solution does not currently offer privilege escalation or pivoting capabilities to replicate the actions of an attacker after the initial compromise.

 

Q: Can I use CORE IMPACT or CORE INSIGHT to test my cloud security?

Yes and no. You can schedule CORE IMPACT penetration testing to occur during a specific time period via Amazon’s Penetration Testing Permission Request procedure. However, CORE INSIGHT is not designed for use with Amazon AWS cloud deployments.

Core CloudInspect is pre-authorized by Amazon, enabling you to conduct testing at your convenience and as frequently as you need. It also includes technology specifically designed to test AWS cloud deployments.

 

Q: How does CloudInspect compare to other penetration testing solutions?

CloudInspect is the only commercial-grade penetration testing solution that is integrate with Amazon AWS and pre-approved by Amazon to test your instances and web applications at your convenience. Testing can be initiated by security professionals and AWS administrators alike, since the solution is automated to handle all information gathering, exploit selection and execution, and reporting activities. CloudInspect also offers the largest library of professionally developed remote exploits available, combined with unprecedented capabilities for dynamically creating exploits to target and test custom web applications against today’s most malicious cyber threats.

 

top

 

Testing Capabilities

Q: What can I test with Core CloudInspect?

CloudInspect can test your AWS-hosted machine instances* and web applications against real-world attacks to verify when your defenses are working and to identify critical exposures in need of remediation.

*You can test all AWS machine instances except m1.small or t1.micro instance types. This is Amazon’s policy for all penetration testing, and it is to prevent potential adverse performance impacts on the resources you may be sharing with other customers.

 

Q: How do you test my machine instances?

CloudInspect assesses machine instance security by safely replicating an attacker’s attempts to profile your systems and compromise them using remote exploits.

  • collects data about the targeted instances through network discovery, port scanning, and OS and service identification

  • automatically selects and launches remote attacks leveraging a large, constantly updated library of safe, commercial-grade exploits

  • generates reports providing details about targeted instances, audits of all exploits attempted, and details about proven vulnerabilities

In addition to identifying critical weaknesses providing data to help with patching and remediation, CloudInspect enables you to verify when your system defenses are working as expected against a wide-range of real-world attacks.

 

Q: How do you test my web applications?

CloudInspect proactively assesses the security of your AWS-hosted web applications via a range of commercial-grade testing capabilities.

  • Cross-Site Scripting (XSS) – reflective and persistent

  • XSS vulnerabilities in dynamic Adobe Flash objects

  • SQL Injection – Traditional and Blind

  • Remote File Inclusion for PHP

Most web applications are custom-built, or highly specialized, and are often not developed with security in mind. Because of the level of customization, testing applications for security vulnerabilities requires the creation of unique exploits. CloudInspect goes beyond web application vulnerability scanning by dynamically creating customized exploits on-the-fly and using them to safely replicate data breach attempts against both proprietary and out-of-the-box web apps.

Through its reporting capabilities, CloudInspect provides security professionals, web developers and AWS administrators with critical information for identifying security weaknesses, determining possible fixes, and prioritizing remediation efforts. It also generates audit trails of all web application penetration tests performed, servers and databases accessed, and all actions taken during testing.

Please note: To assess the security of a web application that is hosted by a machine instance, you must also include that machine instance in the test.

 

Q: Can CloudInspect crawl my web applications?

Yes, CloudInspect can crawl and test multiple pages within the same domain. It will not crawl or test web pages outside of your hosted domain(s).

 

Q: Can I test all of my instances and applications with CloudInspect?

You can test all instances and applications, except m1.small or t1.micro instance types. This is Amazon’s policy for all penetration testing activities, and it is to prevent potential adverse performance impacts on the resources you may be sharing with other customers.

 

Q: Can CloudInspect test machine instances or web applications that are not hosted in AWS?

No. CloudInspect can only test AWS-hosted machine instances and web applications.

 

Q: Can I use CloudInspect to test virtual images before they go into production?

Yes. It is good security policy to test your systems and applications prior to pushing them into production, as well as on a regular basis after they go live.

 

Q: Will CloudInspect know when I add new instances to my cloud deployments?

Yes. New instances automatically appear during the “Select Your Instances” step when you configure a CloudInspect test. The wizard will display all instances applications that can be tested.

Some instances may be grayed out. These represent either systems that are stopped or m1.small / t1.micro instance types. If an instance is turned off, you may turn it on and include it in the test. You can learn the specific reason by mousing over each instance.

Amazon’s policy does not permit testing m1.small or t1.micro instance types. This is to prevent potential adverse performance impacts on the resources you may be sharing with other customers.

 

Q: How often are CloudInspect testing capabilities updated?

To help you stay ahead of the latest threats, the Core Security Exploit Writing Team constantly produces new, commercial-grade exploits designed to safely assess your environment for current vulnerabilities. The solution therefore receives approximately 20-30 exploits and other security updates per month. This ongoing development effort is backed by research from our CoreLabs vulnerability research team and by field expertise from the Core Security Consulting Services team. The result is the most comprehensive, professionally developed library of commercial-grade exploits available, complemented by world-class automation, reporting and other security assessment capabilities.

 

top

 

Conducting Cloud Security Tests

Q: How do I set up a CloudInspect account?

Before initiating tests with CloudInspect, you must set up an account. This is a one-time process for new customers:

  1. Click the green “Test Your Cloud” button on any page on this site.

  2. Click “Account Registration”

  3. Submit profile information

  4. Generate AWS access keys

  5. Enter the access keys into the CloudInspect interface

 

Q: How do I generate AWS access keys?

 

Q: What steps do I take to initiate a test?

Initiating a cloud security test with Core CloudInspect is a simple and straightforward process

  • Click the green “Test Your Cloud” button on any page on this site.

  • Select the machine instances you would like to test

  • Enter the web application URLs you would like to test

  • Select report types

  • Confirm and pay (payments are handled through Amazon)

  • Launch the test

CloudInspect then delivers a variety of reports verifying your security posture and providing actionable intelligence to help you quickly prioritize and remediate any exposures.

Please note: To assess the security of a web application that is hosted by a machine instance, you must also include that machine instance in the test.

 

Q: How long will it take for me to initiate a test?

After setting up your CloudInspect account, you can initiate a test against one or multiple instances and applications in less than 10 minutes.

 

Q: Can I run tests against multiple instances at once?

Yes. CloudInspect enables you to select multiple instances to test at once.

Test results for multiple instances are aggregated into the following reports:

  • Host Report: provides details specific to machine instances tested and exploited

  • Vulnerabilities Report: provides details on exploitable OS and services vulnerabilities, plus links to patches and other remediation resources

  • Web Application Vulnerability Report: explains how your applications can be exploited via SQL Injection, Cross-Site Scripting, Remote File Inclusion and other attack types – and provides valuable information for code fixes

  • Web Application Executive Report: presents summarized information about vulnerable web pages and how they can be exploited by real-world attackers

 

Q: Why are some of my instances grayed out in the instance selection window?

The grayed out instances represent either systems that are stopped or m1.small / t1.micro instance types. You can see the specific reason by mousing over each instance.

Amazon’s policy does not permit testing m1.small or t1.micro instance types. This is to prevent potential adverse performance impacts on the resources you may be sharing with other customers.

 

Q: How long does it take for the test to run?

The duration of each test is dependent on the number and size of the instances and applications you are testing , from a few minutes per instance to a few hours. You can monitor the progress of each test through the CloudInspect web interface. You will also receive an email notification when each test is complete, with a link to download test reports.

 

Q: How often should I use CloudInspect?

Your threat environment is constantly changing as instances and applications are updated, as new vulnerabilities are discovered, and as attackers hone their techniques. We therefore recommend that you conduct frequent, regular security tests of your cloud deployments. At a minimum, you should conduct assessments quarterly and whenever your machine instances or applications are updated. We also recommend re-testing any instances and applications that have recently received security updates or code fixes to ensure that no new vulnerabilities have been introduced.

 

Q: Can I set up other users to conduct tests against my instances?

Each CloudInspect account is associated with one username and password, which can be shared among multiple users. Also, multiple CloudInspect accounts can be set up to test the same group of instances and applications.

 

top

 

Giving Core CloudInspect Access to Your Cloud Deployment

Q: What privileges does CloudInspect need to test my deployment?

When you first register to use CloudInspect, you will be asked to generate AWS Identity and Access Management (IAM) credentials with low-privilege “Describe Instance” capabilities and enter them in the CloudInspect interface. These credentials allow CloudInspect only to confirm that you are the owner of the associated instances, and then retrieve the instance IDs and determine their operating systems and sizes. The credentials cannot be used to log into your instances or alter their configuration in any way.

You can learn more about IAM here: http://aws.amazon.com/iam/faqs  

 

Q: Why do I have to enter my Access and Secret Access Keys?

CloudInspect uses your credentials to verify that you own the instances associated to these credentials and to comply with Amazon’s penetration testing policy. Employees of Core Security Technologies are not able to see your Access or Secret Access Keys.

The keys also do not give CloudInspect any advantage with penetration testing, since they only serve to confirm that you are the owner and provide information about your instance IDs, sizes and operating systems.

 

Q: What is the security IMPACT of sharing Access and Secret Access Keys with CloudInsight?

The required keys only have “Describe Instance” privileges and cannot be used to log into your instances or alter their configuration. All aspects of using CloudInspect are designed to ensure the security of your cloud deployment, and employees of Core Security Technologies are not able to see your Access or Secret Access Keys.

 

top

 

Reporting and Results

Q: What reports does CloudInspect provide?

  • Host Report: provides details specific to machine instances tested and exploited

  • Vulnerabilities Report: provides details on exploitable OS and services vulnerabilities, plus links to patches and other remediation resources

  • Web Application Vulnerability Report: explains how your applications can be exploited via SQL Injection, Cross-Site Scripting, Remote File Inclusion and other attack types – and provides valuable information for code fixes

  • Web Application Executive Report: presents summarized information about vulnerable web pages and how they can be exploited by real-world attackers

 

Q: Who can use CloudInspect reports?

CloudInspect reports can be used to communicate risk and remediation information throughout the organization, including:

  • AWS administrators – to identify machine instances in need of patching or other updates, and to share findings with security staff, web developers, management and other colleagues

  • Web developers – to certify application security, pinpoint unsecure code, and gain information to assist with code fixes

  • Security professionals – to measure and track security posture over time and work with internal and external stakeholders to report and remediate security issues

  • Compliance officers – to gain proof of proactive security controls assessments

 

Q: How do I access my reports?

CloudInspect users can log in at any time to access, download and share PDF reports for completed penetration tests.  Reports are stored in Amazon’s Simple Storage Service (S3) and are available via direct links that offer an encrypted connection via HTTP. Links are set to expire after two weeks. New links to existing reports can be generated at any time and are also valid for two weeks.

 

Q: Can I download reports from my previous CloudInspect tests?

Yes. You can access your reports for two years after the conclusion of each test.­

 

Q: Where are my report results stored?

Your reports are stored by the Amazon Simple Storage Service (S3).

 

Q: None of my machine instances or applications were exploited. Is CloudInspect broken?

No. This means that your systems and/or applications were verified as secure against the attacks that CloudInspect conducted during the test.

 

Q: Can I get CloudInspect reports in other formats besides PDF?

CloudInspect reports are currently available only in PDF format.

 

top

 

Security and Privacy

Q: Will Core CloudInspect allow Core Security to see my data?

No. No one outside of your organization will have access to the data managed by your instances or web applications.


Q: Where do CloudInspect exploits come from?

All CloudInspect exploits are written by Core Security’s in-house, professional exploit writing team. All exploits are QAed nightly to ensure that they are current, stable and secure to run in your environment.

Q: Does CloudInspect run denial of service (DoS) attacks?

No, CloudInspect does not run DoS attacks.

 

Q: What does CloudInspect do to ensure the stability of my instances?

All CloudInspect exploits are developed in-house and quality tested to ensure as much stability as possible. Core Security exploit writers go to great lengths to ensure that our exploits won’t unexpectedly effect processes or interrupt services, using the same “slow and low” techniques employed by many of today’s attacks. Because our exploits are built to run as quietly as possible, system administrators and end users are typically unaware of testing activities in their environments.

 

Q: Does CloudInspect leave any code behind on my instances?

Exploit code is never permanently installed on a tested system. Instead, Core Security’s patented proxy agent – itself a very small piece of software code – is deployed into the system’s memory space. With CloudInspect, the agent’s sole purpose to confirm that a vulnerability can be exploited and provide an attacker with access to the machine instance. Agents are automatically uninstalled upon campaign completion. Agents are harmless to tested systems and do not pose any threats or introduce new vulnerabilities.

 

Q: Does CloudInspect leave any “backdoors” in my instances?

A common concern of security testers is ensuring that any exploits that they run will not establish a path by which attackers could someday find their own way into an organization’s systems. CloudInspect’s design eliminates this scenario by deleting all traces of testing, including any that could be used in a nefarious manner.

 

 Q: Can CloudInspect introduce any new vulnerabilities into my instances?

Our products never create any new security vulnerabilities during testing, rather, they merely find the weak points that already exist in tested systems and exploit those issues to help customers better protect themselves.

 

Q: How do you prevent other people from using CloudInspect against my instances?

CloudInspect ensures that AWS cloud deployments can only be tested by the deployment owner. CloudInspect requires low-privilege access credentials to conduct the test, however these low-privilege credentials can only be generated by someone with high-privilege credentials (i.e., the deployment owner).

 

top

 

Pricing

Q: How much do Core CloudInspect security tests cost?

CloudInspect security tests are priced per target:
•  $20 per machine instance* (introductory price)
•  $20 per web application** (introductory price)

For a limited time, you can test three machine instances and/or web applications per month for free – no purchase required. Free tests are automatically applied to your account at checkout.

* You can test all instances except m1.small or t1.micro instance types. This is Amazon’s policy for all penetration testing, and it is to prevent potential adverse performance impacts on the resources you may be sharing with other customers.

** To assess the security of a web application that is hosted by a machine instance, you must also include that machine instance in the test.

 

Q: How will I be charged and billed for my use of CloudInspect?
CloudInspect is billed on a per target / per test basis. You pay for testing through the Amazon Flexible Payments (AFP) service – the same payments system used to pay for your other AWS services.

 

Support and Feedback

Q: How do I get technical support?

 

Q: Where can I send feedback on CloudInspect?
We welcome your input and feature requests. Please email your comments to cloudinspect.info@coresecurity.com

 

Ready to test the security of your AWS cloud deployment?

  • It's Fast: begin testing in minutes
  • It's Easy: no security experience required
  • It's Affordable: $20 per machine instance or web application tested
    (introductory price)

go Test your cloud




Limited time offer:
Get 3 tests for free!