SoftwareIDM periodically runs PenTesting against the Identity Panel SaaS services using OpenVAS and Kali to probe for potential vulnerabilities as they become known.
OpenVAS is an open source fork from an earlier open-source build of the Nessus security vulnerability scanner, http://www.openvas.org/.
Kali Linux is a PenTest tool running on a dedicated Linux image, see https://www.kali.org
Prior to running a PenTest against an Azure-hosted service the tester should co-ordinate with their SoftwareIDM contacts and notify the Microsoft Azure security team using the process below:
When you’re ready to pen test your Azure-hosted applications, you need to let us know. Once we know that you’re going to be performing specific tests, we won’t inadvertently shut you down (such as blocking the IP address that you’re testing from), as long as your tests conform to the Azure pen testing terms and conditions.
Standard tests you can perform include:
- Tests on your endpoints to uncover the Open Web Application Security Project (OWASP) top 10 vulnerabilities
- Fuzz testing of your endpoints
- Port scanning of your endpoints
One type of test that you can’t perform is any kind of Denial of Service (DoS) attack. This includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate or simulate any type of DoS attack.
Are you ready to get started with pen testing your applications hosted in Microsoft Azure? If so, then head on over to the Penetration Test Overview page (and click the Create a Testing Request button at the bottom of the page. You’ll also find more information on the pen testing terms and conditions and helpful links on how you can report security flaws related to Azure or any other Microsoft service.
Submit Azure Service Penetration Testing Notification
Penetration Test Notification Process:
- Complete this Penetration Testing Form
- Acknowledgment from Azure Team
Once the form is submitted, the Azure Team will respond to the notification. In case any further information is required, the Azure Team will contact you by email using the information provided in the ‘Azure Service Penetration Testing Notification’ form.
- Test Completion
You may only conduct those tests acknowledged by the Azure Team and subject to any conditions specified in the acknowledgment email. In case you require additional time (or a different time) to carry out the testing, you do not need to resubmit your test notification unless the testing plan has changed.