Security Experts at INE Unveil Damn Vulnerable AWS and Azure Tools

Cary, North Carolina, UNITED STATES


Cary, NC, Aug. 24, 2022 (GLOBE NEWSWIRE) -- Cyber security pros at INE, the global leader in IT training, are receiving industry-wide praise for unveiling a pair of unique cloud penetration tools designed to provide a realistic training ground for AWS and Azure exploitation techniques. INE has recently been invited to showcase AWSGoat and AzureGoat at Black Hat USA 2022, Def Con 30, and OWASP Singapore, earning traction in the industry as a “pentester’s playground.” 

With AWS and Azure evolving constantly, companies are often unable to keep up with new vulnerabilities. Featuring the latest exploits, AWSGoat and AzureGoat provides a realistic training ground for security professionals, according to Jeswin Mathai, INE’s Chief Architect for Lab Platforms. “AWSGoat bridges the gap between training and the real world by mimicking real-world infrastructure,” said Mathai. “In our previous AWS Security bootcamps, we taught individual exploit techniques. But there wasn’t an actual training ground where students could put it all together. With this tool, we’ve filled that void.”

AWSGoat’s first module features a serverless blog application utilizing AWS Lambda, S3, API Gateway and DynamoDB. This application consists of the latest OWASP (2021) vulnerabilities and contains other misconfigurations based on AWS Services. Currently, there is no other project in existence that focuses on both the OWASP Top 10 (2021) and AWS, making the tool an industry gamechanger. 

AzureGoat — the Azure counterpart of AWSGoat — also features the latest released OWASP Top 10 (2021) vulnerabilities and misconfigurations on services like Azure App Functions, CosmosDB, Storage Accounts, Automation and Identities. Similar to its sister project, AzureGoat mimics real-world infrastructure and features multiple escalation paths and a black-box approach.

While there are numerous vulnerable applications for AWS, there are fewer options for Azure. “AzureGoat is our attempt to shorten the gap,” creators of AzureGoat recently told cybersecurity trade The Daily Swig

The team also made special efforts to ensure the realism of both deliberately vulnerable infrastructures. “We looked at the most common attacks that occur in cloud deployments, and the context in which they occurred,” said Mathai. “To make AWSGoat and AzureGoat as realistic as possible, our team weaved these common exploits into everyday WebApps — you’ll notice that the first module simulates our company blog.” 

Although in their infancy, the team has ambitious plans for AWSGoat and AzureGoat. The next module is already under development and will feature an internal HR Payroll application, utilizing AWS ECS infrastructure. Future editions include defense/mitigation aspects including Security Engineering, Secure Coding, and Monitoring and Detecting Attacks. Similar modules are in the roadmap for AzureGoat as well. “People will learn to exploit vulnerabilities, patch misconfigurations and coding flaws, and use monitoring services to detect attacks — all in one environment,” said Mathai. “This will be a massive project in years to come.”

About INE: 

INE is the world's leading provider of hands-on technical training for the IT industry.  INE is revolutionizing the digital learning industry through the implementation of adaptive technologies and a proven method of hands-on training experiences. INE’s portfolio of training is built for levels of technical learning specializing in advanced networking technologies, next-generation security, and infrastructure programming and development.

Attachments

 
AWSGoat AWSGoat

Contact Data