The current penetration testing method practiced in the information systems domain is insufficient to protect information systems. Penetration testing is done as a part of the final acceptance criteria before the system is released into a production environment. Once the system is in production, the environment and configuration are bound to change for various reasons, especially in cloud environments. This change has the potential to create vulnerabilities, and hackers take advantage of them. In cloud service models like PaaS, security is a shared responsibility of tenant and provider, and it is challenging to perform penetration testing. This paper introduces a new method called Compliance Based Penetration Testing (CBPT). The CBPT method is targeted specifically for PaaS environments to identify critical issues in cloud-based environments. As the cloud is the way moving forward, this approach will be beneficial and save effort and cost for all cloud consumers.

Abstract Only