Book Review: Pentesting Azure Applications
Review of the book Pentesting Azure Applications by Matt Burrough. Book published in July 2021.
In continuance of my research in cloud security, I picked up another book on Azure security. The book was Pentesting Azure Applications - The Definitive Guide to Testing and Securing Deployments by Matt Burrough. I got it as part of the Humble Book Bundle. It was published in July 2018 and was the only book available focusing on Azure security for some time.
Content Overview
This book is divided into eight chapters covering various services. It starts by building the importance of scoping cloud penetration testing assessments. It then provides an overview of various ways penetration testers can access an Azure environment (along with some best practices). This is followed by techniques to perform reconnaissance using Azure PowerShell module and Azure CLI. From this point onward, it provides deep dive into various Azure services using the following structure:
Service deep-dive
Security best practices
Common misconfigurations / vulnerability points
Pentester's view of the service
Azure services covered in this book are: Storage services (blob, files, tables and queues), VMs, App Services, Web Apps, Automation services, Network services (firewall, WAF and VPN), Authentication mechanisms (credentials, access tokens, certificates), SQL servers etc. The last chapter is focused on defending Azure environment and provides an overview of Azure Security Center, Operations Management Suite, Secure DevOps kit and custom log handling.
In terms of tools, the book covers usage of Azure PowerShell module, Azure CLI, Storage Explorer etc. Each chapter provides commands and scripts to enumerate Azure services. The author has also provided references to free and useful Microsoft resources to develop a better understanding of Azure.
Salient Features
Here are a few things I liked about this book:
It does not assume familiarity with Azure on reader's end. The author has covered each service in sufficient detail to establish the context as to why it important from a penetration tester's perspective.
All enumeration is performed using custom developed scripts which are well-explained in the book.
The companion GitHub repository provides access to enumeration scripts used within the book.
It provides security best practices and Defender's tips throughout chapters.
It is good for cloud engineers and architects, security consultants, security architects, security mangers and developers.
Not so salient Features
Surprisingly, the book misses out some of the core areas of pentester's interest such as Azure Active Directory, Azure RBAC and various access management roles.
In my opinion, the book is wrongly titled. It should have been titled as 'Practical Azure Security' or something similar.
It needs revision and a new edition. There have been a lot of changes in Azure ever since it's publication.
My rating 3.9 / 5.0
Join our book club on Discord and share your views on this book (or any other security book of your choice).
Other book reviews
Cyber Warfare – Truth, Tactics, and Strategies by Dr. Chase Cunningham
Practical Threat Intelligence and Data-Driven Threat Hunting by Valentina Costa-Gazcón
Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen
Red Team Development and Operations by Joe Vest and James Tubberville