Ask HN: Pointless Pentesting S3?
One of our clients has a policy of Pentesting everything they put their name on.
We've just done a project for them involving a static site (HTML + Images) hosted on S3.
Despite our assurances, they want to pentest Amazon S3.
Is this as insane as I think?
3 comments
[ 3.5 ms ] story [ 22.5 ms ] threadYup. But that's something they'll need to ask Amazon for permission to do before they can legally proceed. Else, CFAA/relevant local draconian law can smack them down pretty hard.
I do a lot of application security. A friend of mine does front-end design (no Javascript). I don't check her work for security holes because it's pointless; she can't touch the backend code.
As the GNY crew might say, "Context, people. Context."
http://www.textfiles.com/webfiles/ezines/GONULLYOURSELF/gonu...
In the case of a an Amazon S3 bucket, I would think the following items should be enumerated in a pentest:
This is more of an audit than a pentest. But sometimes a company will only have peace of mind if they base their measurements off of an established internal process. Even if the tests don't seem to make sense for the technology or implementation they will make sense when it comes to identifying risk metrics across all of their web facing products.