Google Cloud Security Pentesting Methodology

Penetration Test of a Web Application hosted on Google Cloud in 2023 is quite different to just a simple/traditional web app pentesting.Cloud Penetration testing is misunderstood to be just config review in Google Cloud. In this video, we have Kat Traxler who is a cloud security researcher, SANS Course author and has worked in the Google Cloud space to even build open source tools that can be used to perform cloud security testing. Episode YouTube: ⁠ ⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Kat Traxler (⁠⁠ Kat Traxler's Linkedin ⁠⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (04:17) A bit about Kat Traxler (05:56) Pentesting in GCP vs AWS (08:07) Config review vs cloud pentesting (09:24) Cloud pentest vs Traditional Pentest (10:28) Starting to do GCP pentesting (12:35) Common services used in GCP (14:10) Low hanging fruits in GCP (15:25) What are default service accounts? (17:52) You may already have google cloud (20:00) How to persist access in Google Cloud? (21:56) Shared responsibility in GCP (24:01) Common TTPs in GCP (28:05) Is there SSRF in GCP? (30:19) Open source tools for cloud pentest (33:59) Fun questions Resources that Kat shared during the episode The Google Cloud Adoption Framework Google Cloud Org Policy Bot GCAT Threat Horizons Report Pacu Microburst DeRF Stratus See you at the next episode!