8 May
min read

Platform as a Service Testing

PaaS is a cloud computing model where a third-party provider delivers a platform for developing, running, and managing applications. Testing PaaS-hosted applications is unique due to the shared responsibility model between the hosting provider and the client, where the provider manages the underlying infrastructure and the client manages the application deployed on the infrastructure.

The specific approach and methodology applied to testing may vary depending on the scope of the engagement. However, typically we would consider the following:

Information Gathering

Information gathering is a critical part of the security testing methodology for PaaS-hosted applications. It involves collecting information about the application, its architecture, and its environment to identify potential vulnerabilities and attack vectors. When testing PaaS-hosted applications, the following steps should be taken during the information gathering phase:

  • Identify the application's purpose and functionality
  • Understand the application's architecture
  • Identify the application's environment
  • Identify potential vulnerabilities

By gathering this information, penetration testers can better understand the application's security posture and develop an effective testing strategy that focuses on the areas of highest risk.

Static Code Analysis

Static code analysis is an important part of the security testing methodology for PaaS-hosted applications. It involves analysing the application's source code to identify potential vulnerabilities and coding errors that could lead to security weaknesses. When performing static code analysis on PaaS-hosted applications, the following steps should be taken:

  • Obtain the application's source code
  • Analyse the code for security vulnerabilities
  • Review the results and prioritize findings
  • Follow up with developers

It is important to note that static code analysis should be used in conjunction with other testing methodologies, such as dynamic testing and manual code review, to provide a comprehensive picture of the application's security posture. Additionally, the limitations of static code analysis should be acknowledged, as it cannot detect all types of vulnerabilities and may produce false positives or negatives.

Penetration Testing

Penetration testing is a critical part of the security testing methodology for PaaS-hosted applications. Testers will use a combination of automated and manual techniques to test for vulnerabilities, including OWASP-10 vulnerabilities.

There are also unique considerations that must be taken into account when testing PaaS-hosted applications. These considerations include:

SDKs and Third-Party APIs

PaaS solutions typically offer SDKs and third-party APIs to enable developers to build and deploy applications quickly. These SDKs and APIs may provide additional functionality, but they may also introduce vulnerabilities that can be exploited by attackers. For instance, an SDK may provided extended functionality that had not been developed or considered for the purposes of the application being tested.

Programming Languages

PaaS solutions often support multiple programming languages, such as Apex for Salesforce. Each programming language has its own unique security considerations, such as potential vulnerabilities related to code injection, authentication, and data access. It is beneficial to review the application's code and ensure that it follows secure coding practices.

Data Stores

PaaS solutions may use data stores outside of the scope of the application, such as cloud storage solutions. It is essential to identify and understand the interaction with these data stores and to consider how they may affect the application.


For third-party solutions such as Salesforce, restrictions imposed by the hosting provider must be taken into account. By following this methodology, penetration testing consultants can ensure that PaaS-hosted applications are tested thoroughly and effectively.

All testing performed must not

  1. Breach restrictions imposed by the hosting provider.
  2. Target users or systems not directly related to the client.
  3. Verify that the application follows the guidelines provided by the hosting provider.

bug report

Get a Free Trial  From Cytix

Haven’t tried Cytix yet? Try our free trial to see how it works.

Get a Free Trial

Rules of Engagement

Amazon Web Services




Start Detecting Vulnerabilities Others Miss Today

  • Detect Vulnerabilities Faster
  • Patch Vulnerabilities Faster
  • Be more compliant
Learn More

Detect, Resolve &
Patch Faster With Cytix

Get a free test today and see how it works.
CTA Image
cta rectangle image
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.