3min chapter

Cloud Security Podcast cover image

API SECURITY BEST PRACTICES 2022

Cloud Security Podcast

CHAPTER

What Are the Common Pantasting Things?

There's not too many differences on that end. What you do see is maybe that the front gate, you know, is more secure than maybe a home grown solution. So those cloud providers do provide that good first layer of defence. The next part of it is, if i know i'm testing in those environments, then maybe i need to be. I call it having a burner account. And so i'll set up a couple different accounts and use different ip addresses. Because as soon as one is blocked and the ip address is blocked, then i know, ok, that security control is functioning and in place. Is there a way i can bipass that, or not set it off

00:00
Speaker 2
Thanks for that. That's pretty wholesome resources as well. And i men, going back to i ges thit's woul be heltful for people who are pentasting. Were pehaps an want to go to resource as wells ther daphne gant answer the question. And maybe people have internal pantastin teams, and they can share this resource with them, though. This suts, daphne, helpful. So thanks for sharing that. Now, we spoke about some of the common pantasting things as well that no people can natually approach with a cloud because clarkley portcast as well. Have you had to ever, like we were talking about this earliwer, amazon, azure, they all are way sooner. Bababs, where they use api calls in the background for back in conversation? Have you ever had a chance to, cannot do any of the cloud services, and do they behave any different do say, any wabab that you would have had, which is on api? Which is norven clourd, that makes sense?
Speaker 1
Yes. Fom my perspective, it testing. We a p iis, there's not too many differences on that end. So whether you're on using one clod provider or another, if you're attacking rest a p is, or if the a p iis set up in a restful way, then that's using h t t p methods in specifically, requesting different paths for different resources and functionality. So that part isn't with the different cloud providers. What you do see is maybe that the front gate, you know, is more secure than maybe a home grown solution. And so we do see that quite a bit. So those cloud providers do provide that good first layer of defence. Maybe there's a waff in place maybe they're handling authentication and token creation, an stuff like that. So those do have some like, try it in true security measures that are in place. But once you get past that, so if i am able to find an api key, or if i'm able to use a service as an authenticated user, then we're getting past that first layer. And the next part of it is, if i know i'm testing in those environments, then maybe i need to be. I call it having a burner account. And so i'll set up a couple different accounts and use different ip addresses. Because as soon as one is blocked and the ip address is blocked, then i know, ok, that security control is functioning and in place. Is there a way i can bipass that, or not set it off in the first place? And then using the the next account down the road and at the other ip address, to be a bit more careful and check things that typically require well formed requests, like authorization. So can i use the api as an end user normally would? And then transition to finding othr users resources, and then can i access those,
Speaker 2
right?

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.
App store bannerPlay store banner

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode