How to inform google on upcoming penetration test - google-cloud-platform

We are running our Software Application partially on google cloud platform and will be running a security review, which includes a penetration test soon.
We are tasked with informing our Hosting providers on this.
How should I do this for Google?
Regards

In general, you are not obliged to inform Google about your pen tests:
If you plan to evaluate the security of your Cloud Platform
infrastructure with penetration testing, you are not required to
contact us. You will have to abide by the Cloud Platform Acceptable
Use Policy and Terms of Service, and ensure that your tests only
affect your projects (and not other customers’ applications). If a
vulnerability is found, please report it via the Vulnerability Reward
Program.
... therefore there's no actual formal way of doing this. Probably a good idea would be to contact Google Cloud Platform Support and re-check that, also to have a record of this action, as you say you were tasked to inform the cloud provider.

Related

Google Cloud Platform: Mining cryptocurrencies

I received an email indicating that my Google Cloud Project have been suspended because I was supposedly mining cryptocurrencies.
My project is a tool like a Calculator and that issue surely isn't possible.
What could be happen?
In order to create a function I hired a programmer on UpWork and give him access to the GCP.
Well, it seems this developer has abused our trust and did something wrong.
What can I do?
Now the project is suspended and any section I try to go in the form "Appeal" appears.
I appealed but I have to wait Google to reply.
How can I check if my project have been used for these bad usages?
I want to cut services the developer could be used or so.
Unfortunately, you must wait for Google’s reply.
AS a recommendation you could review this information to determine if it is intended, Cryptocurrency mining is often an indication of the use of fraudulent accounts and payment instruments, and requires verification in order to mine cryptocurrency in the Cloud Security Help Center.
If you believe your project has been compromised, I recommend that you secure all your instances, which may require uninstalling and then reinstalling your project, you could follow the steps.
To better protect your organization from misconfiguration and access the best of Google's threat detection, you may consider enabling Security Command Center (SCC) for your organization. To learn more about SCC visit.

AWS WAF Log Utilisation + Penetration Testing with Web Applications

How can AWS Web Application Firewall help me in identifying which penetration testing I should use against my web application. Once i have access to the WAF Logs, how can I best utilise it to identify penetration testing.
I would say that the AWS WAF (or any WAF) is not a good indicator of what type of pentesting you should be doing. Determining the scope and type of pentesting is one of the most important first steps a qualified pentester or consultancy should be doing.
On the topic of WAFs, I would also say that they are not a good indicator of true manual pentesting. While the AWS WAF is great at catching SQL Injection and XSS test cases, it is not capable of detecting parameter tampering attacks.
So while it can create alerts that are likely to detect scans, it may fall short of detecting subtle human-driven test cases (which are often more dangerous).
To detect true pentest test-cases, it is always most valuable to add instrumentation at the application layer. This way you can create alerts for when a user tries to access pages or objects that belong to other users.
Also consider that if you create these alerts at the application layer, you can include more valuable data points such as the user and IP address. This will provide a valuable distinction between alerts that are create by random scanner on the internet, and ones created by authenticated users.

Devops project management board in Google Cloud platform

Does the Google Cloud platform has the project management board like azure DevOps. If so please someone can provide the details
Right now there is no such thing in GCP. There are other tools but nothing related to Project Management. I think becuase in general terms, this would not add much to what GCP offers:
Platform as a service (PaaS).
Functions as a service (FaaS).
Containers as a service (CaaS).
Infrastructure as a service (IaaS).
Storage Services, Databases.
BigData services, Machine Learning Services.
Anyway, if you have a general idea of how you would like to work and which products you think it could interact with, you can file a Feature Request on the Public Issue Tracker with as much as details as possible.
I found this post named Google Project Management Doesn’t Exist… Now What? which you might find interesting.
I also found this about G Suite tips for project management. The most relevant could be:
Create dynamic project plans and Gantt charts in Sheets to manage your projects, assignments, and deadlines. Team members across the globe can update their progress directly in the spreadsheet so it's always up to date.

Google Cloud Speech API on production

As we know, Google Cloud Speech API is in Beta now.
Will it be safe to use it in a application on production server?
I was also searching for the applications which is using Google Cloud Speech API, So far I have found the following,
VoiceBase, Hyperconnect, InterActiveTel
Does anyone know of any other applications that could give us more confidence in using it on production server?
The official definition of GCP launch stages, such as Beta, can be found in our documentation here.
Beta is the point at which we are ready to open a release for any customer to use. There are no SLA or technical support obligations in a Beta release, and charges may be waived in some cases. Products will be complete from a feature perspective, but may have some open outstanding issues. Beta releases are suitable for limited production use cases.
Emphasis is mine: Limited production. Ultimately, it is going to come down to your risk appetite.
As of Tuesday, April 18, the Cloud Speech API has reached General Availability, meaning all features are open to developers and are to be considered stable.
Voicebase provides more than just speech recognition and it is currently used in production by large customers. Take a look at some of the features
http://voicebase.readthedocs.io/en/v2-beta/index.html

What are the pros and cons of developing a web app using Parse vs. AWS?

From what I know, Parse offers convenient communication stacks for various platforms such as iOS, so it is easy to build clients that use your web app.
But Parse also seems to be tightly integrated with Facebook. If you were to build a web app that does not need Facebook, but that may integrate with Facebook in the long term, is Parse the clear winner over deploying directly to AWS, or are there important disadvantages to consider?
As far as I understand their page Parse is a PaaS (platform as a service) provider like Heroku and others while AWS is a IaaS (infrastructure as a service) provider.
Pros for PaaS:
They care about the infrastructure
You build your app on an existing platform
For the start you don't need "ops-guys" as you don't do ops
You can take their knowledge and prebuilt tools for your advance
Pros for IaaS:
You have full control about the underlaying infrastructure
You can start with a greenfield and build what ever you want
You can use tools like Puppet / Chef / ... to control your servers
You don't have to pay for the additional stuff you get when using PaaS
(but have to pay your people for it)
So there is not a winner of this "battle" but you have to decide whether you want to use prebuilt tooling and give some independence for this or whether you want to have the absolute control over everything (nearly as you can't touch the hardware) and invest time and manpower into building your own tooling.
"Better, Faster, Cheaper.."
If you are pursuing mobile first strategy, Parse is a great tool for bootstrapping a mature, full web-presence from nothing more than an original beta app.
I dont have direct experience with AWS.
I have used Heroku/Parse integrating (very quickly) a stand alone mobile app with the back-end where the back end needs to cover following:
DB/persistence/noSql
Workflow - async tasks
REST API interface HTTP
Once the mobile app existed with only stubbed local data , Parse allowed a single engineer to build out ALL infrastructure mentioned above very quickly, taking the app from single user to multi-user with full DB and workflow that backs client side events with considerable server-side and cloud side business logic and process. Scaling related startup stuff that used to take weeks took only days.
The compression (time&money) when scaling up an app stack is really something. The Parse API did almost everything that i needed with one small exception (remuxing UGC media).
Personally, i abandoned the parse/android SDK in favor of a more robust REST API (threading on client-side and heavy HTTP activity ).
Developers used to Curl/REST dev stacks will take to Parse.