OWASP Cloud Security Mentor

 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

Overview
With the rise of cloud computing, a lot of companies have moved their workload to the cloud. Cloud allows organizations of all sizes to manage their application lifecycle more effectively and efficiently. Because of its design, Cloud has its own set of unique security challenges. There is already an abundance of documentation and open source projects to raise awareness about cloud-specific security issues. Sometimes, consuming this information may feel like drinking from a firehose. This project aims to teach the cloud security fundamentals in a consolidated and actionable manner. The primary goal of the project is to empower cloud defenders with practical cloud security knowledge. This project provides hands-on cloud security tutorials that the audience can conveniently consume in their public cloud accounts to learn at their own pace. The target audience for this project are system administrators, software developers, and solutions architects.

Description
The project would deliver a code repository which would describe various cloud hardening principles. The repository would also contain an application utility to demonstrate common cloud vulnerabilities and with the recommended fixes. At a high-level, the project would be divided into multiple Cloud resources such as Storage, Compute, etc. Inside these folders, there will be subfolders describing various vulnerabilities applicable to the cloud resource. Inside these subfolders, we will have one folder for each public cloud provider to demonstrate the vulnerability as well as the recommended security fix.

The audience would follow these steps to learn about a cloud vulnerability:
 * 1) Go to the directory for the vulnerability
 * 2) Go through the content to learn about the vulnerability and hardening recommendations.
 * 3) Choose a public cloud service provider from the directory.
 * 4) Run the vulnerable cloud deployment template to deploy a vulnerable cloud resource
 * 5) Use the utility to exploit the vulnerability.
 * 6) Deploy the hardened cloud deployment template to fix the vulnerability.
 * 7) Rerun the exploit code, this time it would fail.

Licensing
Apache License 2.0

Roadmap
2019 Q1 & Q2:
 * Seek input on the project proposal from other members of the community
 * Come up with the design and architecture for the technological framework that would be used for authoring cloud security tutorials

2019 Q3:
 * Choose a cloud service, a set of applicable vulnerabilities, and a public cloud service provider for the initial implementation.
 * Complete a PoC for the generic technological framework using a cloud vulnerability identified step #1.

2019 Q4:
 * Improve the framework engineering fundamentals (reliability, performance, logging, etc.) if required
 * Leverage the framework for authoring tutorials for all chosen vulnerabilities from step #1 of the 2019 Q2 plan

2020 Q1:
 * Continue with the 2019 Q4 #2 objective
 * Extend the project to cover other cloud resources under the chosen public cloud provider

Getting Involved
If you would like to contribute, then please get in touch with the project leader.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Project Resources
Installation Package

Source Code

What's New (Revision History)

Documentation

Wiki Home Page

Issue Tracker

Slide Presentation

Video

Project Leader
Ashish Kurmi

Related Projects

 * OWASP_Tool_Project_Template
 * OWASP_Documentation_Project_Template

Classifications

 * }