In continuance of my research in cloud security, I picked up another book on Azure security. The book was Pentesting Azure Applications – The Definitive Guide to Testing and Securing Deployments by Matt Burrough. I got it as part of the Humble Book Bundle. It was published in July 2018 and was the only book available focusing on Azure security for some time.
This book is divided into eight chapters covering various services. It starts by building the importance of scoping cloud penetration testing assessments. It then provides an overview of various ways penetration testers can access an Azure environment (along with some best practices). This is followed by techniques to perform reconnaissance using Azure PowerShell module and Azure CLI. From this point onward, it provides deep dive into various Azure services using the following structure:
- Service deep-dive
- Security best practices
- Common misconfigurations / vulnerability points
- Pentester’s view of the service
Azure services covered in this book are: Storage services (blob, files, tables and queues), VMs, App Services, Web Apps, Automation services, Network services (firewall, WAF and VPN), Authentication mechanisms (credentials, access tokens, certificates), SQL servers etc. The last chapter is focused on defending Azure environment and provides an overview of Azure Security Center, Operations Management Suite, Secure DevOps kit and custom log handling.
In terms of tools, the book covers usage of Azure PowerShell module, Azure CLI, Storage Explorer etc. Each chapter provides commands and scripts to enumerate Azure services. The author has also provided references to free and useful Microsoft resources to develop a better understanding of Azure.
Here are a few things I liked about this book:
- It does not assume familiarity with Azure on reader’s end. The author has covered each service in sufficient detail to establish the context as to why it important from a penetration tester’s perspective.
- All enumeration is performed using custom developed scripts which are well-explained in the book.
- The companion GitHub repository provides access to enumeration scripts used within the book.
- It provides security best practices and Defender’s tips throughout chapters.
- It is good for cloud engineers and architects, security consultants, security architects, security mangers and developers.
Not so salient Features
- Surprisingly, the book misses out some of the core areas of pentester’s interest such as Azure Active Directory, Azure RBAC and various access management roles.
- In my opinion, the book is wrongly titled. It should have been titled as ‘Practical Azure Security’ or something similar.
- It needs revision and a new edition. There have been a lot of changes in Azure ever since it’s publication.
My rating 3.9 / 5.0
Other book reviews
- Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen
- Red Team Development and Operations by Joe Vest and James Tubberville
- Container Security by Liz Rice
- Web Application Security by Andrew Hoffman
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.