SEC Consult helps you to reveal attack vectors in your Cloud and container infrastructure. Using our sophisticated exploits and experience, we uncover vulnerabilities, misconfigurations, privilege escalation paths, lateral movement between environments and even footholds into on-site infrastructure.
SEC Consult can provide them.
The security consultants of SEC Consult are trained and certified by the best experts of the industry and directly by the providers. We combine offensive and defensive certifications to enable our employees to detect vulnerabilities as well as to improve the IT-architecture based on state-of-the-art solutions.
Among others, our team holds the following certifications:
- AWS Certified Security – Specialty
- Microsoft Certified: Azure Security Engineer Associate (AZ-500)
- GIAC Cloud Penetration Tester (GCPN)
- Certified Kubernetes Security Specialist (CKS)
Full Stack Knowledge
Our security consultants are familiar with all leading technologies and can support your whole line up: Starting from Cloud over container through your internal network up to your web and mobile application – our consultants can provide independent advice to ensure you always get the best solution.
Matching Experience and Full Process Service
In order to offer you a full 360° service, our specialists will guide you on every step of the way. SEC Consult will assign the perfect expert to your project, no matter if you use AWS, Azure or GCP – we have someone for all your needs. In addition, every project is monitored by experienced project managers.
- Experienced and certified experts for AWS, Azure and GCP
- Full stack knowledge
- State of the art solutions
- 360° service
- Independent from software manufacturers: We will always find the best solution for you
Our experts check the public Cloud platform thoroughly. In our Cloud pentest we focus especially on these points:
- least-privilege principal for all users
- separation of different environments: e.g., production & development environment or project A & project B
- adhering to the recommendations of the Cloud provider
Our Cloud security assessments cover both – the control layer and the data layer:
- The control layer defines permissions, access to and execution of resources and programs and intercorrelates them with each other. It contains many security functions of the Cloud provider as well.
- The data layer executes the application code, stores and operates on end-customer data, as well as communication between the different resources is happening in accordance with the defined rules.
Our Cloud pentest is an important and efficient method to improve your security level in the Cloud. Nevertheless it is but a snapshot of the security status of your systems and changes in settings, uploads etc. may change the game. Therefore, you should remain vigilant and not rely on the assumption that from now on your security in the Cloud is the provider’s sole responsibility.
No, all Cloud providers rather follow some form of the “shared responsibility model”. This means that depending on the category of the service, the Cloud providers take care of some part of the security. However, in general “if you can touch it, you own it” – or to say it differently: if you can change the settings for a resource or decide what you want to run, in general the security is your responsibility. It is important to remember: even if it’s a fully managed service, customers are responsible for their uploaded data and the access permissions.
By now AWS, Azure and GCP have dropped the requirement to inform them about pentests on resources in their infrastructure. Each provider has defined a set of rules in regards to which services as well as which actions are allowed without telling them. In general, it can be summarized that it is similar to the “shared responsibility model”. This means pentests on resources you are managing yourself are allowed. On the other hand, no provider allows testing Distributed Denial of Service (DDoS) attacks or attacking other customers. SEC Consult can support you to understand the specific terms and conditions as to whether it is necessary to inform the Cloud provider in your specific case.