Yaksas Security

Cyber Security Research

  • Yaksas Security Home
  • Home
  • Yaksas Security Classroom
  • Learn Adversary Emulation
  • Contact Yaksas
Book Review: Pentesting Azure Applications

Uday Mittal December 27, 2021 Leave a Comment

Book Review: Pentesting Azure Applications

In continuance of my research in cloud security, I picked up another book on Azure security. The book was Pentesting Azure Applications – The Definitive Guide to Testing and Securing Deployments by Matt Burrough. I got it as part of the Humble Book Bundle.  It was published in July 2018 and was the only book available focusing on Azure security for some time.

Content Overview

This book is divided into eight chapters covering various services. It starts by building the importance of scoping cloud penetration testing assessments. It then provides an overview of various ways penetration testers can access an Azure environment (along with some best practices). This is followed by techniques to perform reconnaissance using Azure PowerShell module and Azure CLI. From this point onward, it provides deep dive into various Azure services using the following structure:

  • Service deep-dive
  • Security best practices
  • Common misconfigurations / vulnerability points
  • Pentester’s view of the service

Azure services covered in this book are: Storage services (blob, files, tables and queues), VMs, App Services, Web Apps, Automation services, Network services (firewall, WAF and VPN), Authentication mechanisms (credentials, access tokens, certificates), SQL servers etc.  The last chapter is focused on defending Azure environment and provides an overview of Azure Security Center, Operations Management Suite, Secure DevOps kit and custom log handling.

In terms of tools, the book covers usage of Azure PowerShell module, Azure CLI, Storage Explorer etc. Each chapter provides commands and scripts to enumerate Azure services. The author has also provided references to free and useful Microsoft resources to develop a better understanding of Azure.

Salient Features

Here are a few things I liked about this book:

  • It does not assume familiarity with Azure on reader’s end. The author has covered each service in sufficient detail to establish the context as to why it important from a penetration tester’s perspective.
  • All enumeration is performed using custom developed scripts which are well-explained in the book.
  • The companion GitHub repository provides access to enumeration scripts used within the book.
  • It provides security best practices and Defender’s tips throughout chapters.
  • It is good for cloud engineers and architects, security consultants, security architects, security mangers and developers.

Not so salient Features

  • Surprisingly, the book misses out some of the core areas of pentester’s interest such as Azure Active Directory, Azure RBAC and various access management roles.
  • In my opinion, the book is wrongly titled. It should have been titled as ‘Practical Azure Security’ or something similar.
  • It needs revision and a new edition. There have been a lot of changes in Azure ever since it’s publication.

My rating 3.9 / 5.0

Join our book club on Discord and share your views on this book (or any other security book of your choice).

Other book reviews

  • Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen
  • Red Team Development and Operations by Joe Vest and James Tubberville
  • Container Security by Liz Rice
  • Web Application Security by Andrew Hoffman

Related Posts

  • Book Review: Penetration Testing Azure for Ethical HackersBook Review: Penetration Testing Azure for Ethical Hackers
  • Book Review: How to Hack Like a GHOSTBook Review: How to Hack Like a GHOST
mm
Uday Mittal

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.

Filed Under: Book Reviews Tagged With: azue, Cloud security, Penetration Testing

Optin Form

Search

Follow us on Twitter

My Tweets

Categories

Tags

(ISC)2 Active directory adsecurity adsi adsisearcher adversary emulation Android attack active directory awareness blue whale challenge Certification CISSP Cloud security crte crtp cyber-warfare cybersecurity Cyber Security Cybersecurity books domain enumeration ethical hacking forest enumeration hacker Information Security ISACA Kali Linux Mobile Security Narendra Modi NSA offensive security Online Safety opsec Password Penetration Testing pentest powersploit Powerview privacy red team red teaming Risk Management Social Engineering user enumeration Wifi Windows

Top Posts

  • ADSISearcher (Part 2)
    ADSISearcher (Part 2)
  • Social-Engineer Toolkit: An Introduction
    Social-Engineer Toolkit: An Introduction
  • Let there be no more MMS Scandals
    Let there be no more MMS Scandals
  • Make Remote Access Your Ally
    Make Remote Access Your Ally
  • 7 Ways to Cover Your Device's Camera
    7 Ways to Cover Your Device's Camera
  • Mona.py for exploit devs: 6 must know commands
    Mona.py for exploit devs: 6 must know commands

© Copyright 2020 ElliteDevs · All Rights Reserved · Powered by WordPress