For the final book purchase of 2018, members of VERT decided to read "Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments," written by Matt Burrough and published by No Starch Press. Matt has spent nearly four years with Microsoft’s Digital Security & Risk Engineering (DSRE) Red Team as a Senior Penetration Tester, making him a logical author for a book on this subject. Here’s what members of VERT had to say about this book that covers topics such as weaknesses in VM settings, Azure services and firewall rule enumeration.
Matt Burrough’s Pentesting Azure Applications is a great crash course on how someone would start pen testing an Azure environment. The author gives an excellent rundown on the use of Mimikatz and how to obtain certain information from memory. Matt Burrough also provides a thorough description of how monitoring, logs and alerts could help determine if anything is out of the ordinary. Pentesting Azure Applications allows the reader to understand the information by demonstrating code and explaining how the provided code segment functions. This allows the reader to follow along with the concepts that the book introduces and provides an example for the reader. The reader will hopefully be able to use the introduced concepts for future pen testing. Matt's writing helps allow a reader to see common issues that users of Azure may introduce. It was quite interesting to see where users stored passwords and how easy they were to obtain. However, it was quite interesting to see how the two Azure service models managed credentials. This demonstrated how the Azure Service Management model was better suited to maintaining credentials than the older Azure Resource Manager model. Pentesting Azure Applications provides a great guide for someone to start pen testing an Azure environment. This book can also demonstrate to an Azure administrator the potential weak points for their environment.
Rating 5/5
– Andrew Swoboda, Senior Security Researcher, Tripwire
I found that Pentesting Azure Applications is a great guide on the titular topic. The author lays out his basic assumptions from the beginning – such as that the reader is already knowledgeable about pentesting to some degree. I particularly enjoyed the “Defender’s Tip” boxes scattered throughout the book. These tips provide some great advice for the other side of a pentester’s job – fixing the holes. The ones I found especially useful are those that can be applied more broadly as opposed to those that only related to Azure. Another useful aside consisted of the notes, which were helpfully placed directly beneath their relevant paragraphs. These notes provide links and brief blurbs about external resources. In some cases, they offer useful sidebar commentary about Azure or the pentesting methods being discussed. Overall, while Pentesting Azure Applications seemed slow-paced at times, it was laid out in a logical fashion that walks the reader through the author’s methodology while providing the information and tools needed by the reader to succeed on their own.
Rating 4.8/5
– Ary Widdes, Security Researcher, Tripwire
Pentesting Azure Applications is less of a guide toward pentesting and more of an unofficial Azure manual. Much of the book focuses simply on describing Azure and how to interact with it. A large portion of this book is effectively just saying that an attacker can do lots of bad things if they compromise Azure credentials. Much of the rest of the book is focused on standard post-exploitative tools and methods for finding credentials from compromised systems and then reviewing how to log in and use the credentials. Although this book could certainly be helpful for anyone looking to get acquainted with Azure security policies, any experienced penetration tester should already know most of what’s in the book and can learn the rest by simply reading Microsoft’s documentation. While it is clear that the author has some valuable expertise to draw upon, I believe this book could be considerably condensed to about half its size without losing much value.
Rating 3/5
– Craig Young, Principal Security Researcher, Tripwire
Overall Rating: 4.25/5
There were definitely different opinions with this book, which is one of the best parts of reading and discussing these types of guides. The next book we’re reading for #TripwireBookClub is https://nostarch.com/binaryanalysis. As a special giveaway, we are offering two lucky full-time students who read our next book the opportunity to earn a Black Hat Asia student scholarship (hotel/flight not included; first come first served). To find out more, comment below! If you are not a student but are still interested in taking part, please tweet us at @tripwireinc or @tripwirevert for more details. You can follow updates from #TripwireBookClub here.
