In this episode of Scale To Zero Podcast, our guest speaker Scott Weston walks us through the broader landscape of cloud pentesting, including the tool “GCPwn” which is developed by Scott himself.
Whether you’re a seasoned security professional or just starting your journey, this podcast offers valuable insights and practical advice.
You can read the complete transcript of the epiosde here >
Learnings from the podcast
- gcpwn (modeled after Pacu) is a great tool for pentesting covering enumeration and lateral movement. There are many more capabilities coming up soon with support for more Services and APIs.
- Annual Pen Testing is a good start. But, pentesting should be as close to continuous as possible. It helps organizations stay up to date with their Attack Surface.
- When starting to pentest, start with IAM. It connects all other services together and the most impactful. For environments, create a seggregated cloud environment for pentesting and tear it down once it’s not used anymore.
Learning resources recommended by Scott Weston
-
gcpwn
gcpwn was a tool built by Scott himself when he was learning Google Cloud Platform and leverages the newer GRPC client libraries
You can check gcpwn tool on GitHub >
-
Scout Suite
Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
-
CloudFoxable
A gamified cloud hacking sandbox from the cloud penetration testing team at BISHOPFOX
-
PWNedLabs
Experience, real-world, byte sized cloud security labs for training cyber warriors. From beginners to pros, their engaging platform allows security practitioners to secure defenses, ignite career and stay ahead of threats.
-
Hack The Box
HTB is the leading Cybersecurity Performance Center for advanced frontline teams to aspiring security professionals & students. Start driving peak cyber performance.
