Infrastructure Security

The infrastructure an application deploys to is as crucial as the application itself. Differences between environments may change how an application behaves. This can result in a once-mitigated issue resurfacing, or turn a theoretical vulnerability into a proof-of-concept. Cloud or on-prem, Docker or VM; regardless of the technology stack, we believe hardening the infrastructure should be a top priority.

We Assess

Infrastructure Deployments

Cloud

Cloud infrastructure providers such as AWS, GCP, and Azure.

Infrastructure as Code

Commonly used cloud native tools such as Kubernetes, Terraform, and CloudFormation.

Cloud

While most cloud infrastructure providers offer extensive security features, enabling and implementing these features in the context of a specific application isn’t always straightforward. Our consultants are familiar with major cloud infrastructure providers (AWS, GCP, Azure, etc.) and their security features.

We concentrate on areas such as:

  • Roles & ACLs
  • Data Encryption
  • Object Storage Policy
  • Database & Compute Configuration

Infrastructure as Code

Many organizations use Kubernetes, Terraform, or CloudFormation to configure and deploy infrastructure. While these cloud native utilities provide excellent composability, they are not free of shortcomings. Forces Unseen works collaboratively with engineering teams to validate security controls implemented within an environment.

We review:

  • Service & Pod Connectivity
  • Data & Persistent Storage Encryption
  • Deployment Pipeline Implementation

our process

Methodology

Our application and infrastructure assessment methodologies are provided below. These documents describe our entire assessment process end-to-end. We're transparent; we make our process simple and clear to those who have never undergone a security assessment. For those familiar with security assessments, these documents give insight to nuances in our approach.

1

Pre-engagement

Establish the goals and scope of the project.

2

Access

Validate test environment, access, and configuration.

3

Testing

Perform tool-assisted manual security assessment of the targets in scope.

4

Post-engagement

Deliver and present the assessment results and remediation recommendations.