Cyber security pros at INE, the global leader in IT training, are receiving industry-wide praise for unveiling a pair of unique cloud penetration tools designed to provide a realistic training ground for AWS and Azure exploitation techniques. INE has recently been invited to showcase AWSGoat and AzureGoat at Black Hat USA 2022, Def Con 30, and OWASP Singapore, earning traction in the industry as a “pentester’s playground.”
With AWS and Azure evolving constantly, companies are often unable to keep up with new vulnerabilities. Featuring the latest exploits, AWSGoat and AzureGoat provides a realistic training ground for security professionals, according to Jeswin Mathai, INE’s Chief Architect for Lab Platforms. “AWSGoat bridges the gap between training and the real world by mimicking real-world infrastructure,” said Mathai. “In our previous AWS Security bootcamps, we taught individual exploit techniques. But there wasn’t an actual training ground where students could put it all together. With this tool, we’ve filled that void.”
Latest ITechnology News: InfluxData Brings Native Data Collection to InfluxDB
AWSGoat’s first module features a serverless blog application utilizing AWS Lambda, S3, API Gateway and DynamoDB. This application consists of the latest OWASP (2021) vulnerabilities and contains other misconfigurations based on AWS Services. Currently, there is no other project in existence that focuses on both the OWASP Top 10 (2021) and AWS, making the tool an industry gamechanger.
AzureGoat — the Azure counterpart of AWSGoat — also features the latest released OWASP Top 10 (2021) vulnerabilities and misconfigurations on services like Azure App Functions, CosmosDB, Storage Accounts, Automation and Identities. Similar to its sister project, AzureGoat mimics real-world infrastructure and features multiple escalation paths and a black-box approach.
While there are numerous vulnerable applications for AWS, there are fewer options for Azure. “AzureGoat is our attempt to shorten the gap,” creators of AzureGoat recently told cybersecurity trade The Daily Swig.
Latest ITechnology News: Corelight Selects Normalyze As Its Primary Cloud and Data Security Platform
The team also made special efforts to ensure the realism of both deliberately vulnerable infrastructures. “We looked at the most common attacks that occur in cloud deployments, and the context in which they occurred,” said Mathai. “To make AWSGoat and AzureGoat as realistic as possible, our team weaved these common exploits into everyday WebApps — you’ll notice that the first module simulates our company blog.”
Although in their infancy, the team has ambitious plans for AWSGoat and AzureGoat. The next module is already under development and will feature an internal HR Payroll application, utilizing AWS ECS infrastructure. Future editions include defense/mitigation aspects including Security Engineering, Secure Coding, and Monitoring and Detecting Attacks. Similar modules are in the roadmap for AzureGoat as well. “People will learn to exploit vulnerabilities, patch misconfigurations and coding flaws, and use monitoring services to detect attacks — all in one environment,” said Mathai. “This will be a massive project in years to come.”
Latest ITechnology News: Sprinklr Receives ISO 27001 Certification for Security Management
[To share your insights with us, please write to sghosh@martechseries.com]
