For the final book purchase of 2018, members of VERT decided to read “Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments,” written by Matt Burrough and published by No Starch Press. Matt has spent nearly four years with Microsoft’s Digital Security & Risk Engineering (DSRE) Red Team as a Senior Penetration Tester, making him a logical author for a book on this subject.

Here’s what members of VERT had to say about this book that covers topics such as weaknesses in VM settings, Azure services and firewall rule enumeration.

Matt Burrough’s Pentesting Azure Applications is a great crash course on how someone would start pen testing an Azure environment. The author gives an excellent rundown on the use of Mimikatz and how to obtain certain information from memory. Matt Burrough also provides a thorough description of how monitoring, logs and alerts could help determine if anything is out of the ordinary.

Pentesting Azure Applications allows the reader to understand the information by demonstrating code and explaining how the provided code segment functions. This allows the reader to follow along with the concepts that the book introduces and provides an example for the reader. The reader will hopefully be able to use the introduced concepts for future pen testing.

Matt’s writing helps allow a reader to see common issues that users of Azure may introduce. It was quite interesting to see where users stored passwords and how easy they were to obtain. However, it was quite interesting to see how the two Azure service models managed credentials. This demonstrated how the Azure Service Management model was better suited to maintaining credentials than the older Azure Resource Manager model.

Pentesting Azure Applications provides a great guide for someone to start pen testing an Azure environment. This book can (Read more...)