SoftwareIDM monthly runs vulnerability scanning against the Identity Panel SaaS services using Qualys web application scanning, and annual adversarial pen-testing using third-party security vendor. SoftwareIDM has standard controls in-place for categorizing and prioritizing vulnerabilities discovered through scanning and pen-testing.

Prior to running a PenTest against an Azure-hosted service the tester should co-ordinate with their SoftwareIDM contacts and notify the Microsoft Azure security team using the process below:

Pen Testing

https://docs.microsoft.com/en-us/azure/security/azure-security-pen-testing

When you’re ready to pen test your Azure-hosted applications, you need to let us know. Once we know that you’re going to be performing specific tests, we won’t inadvertently shut you down (such as blocking the IP address that you’re testing from), as long as your tests conform to the Azure pen testing terms and conditions.

Standard tests you can perform include:

• Tests on your endpoints to uncover the Open Web Application Security Project (OWASP) top 10 vulnerabilities
• Fuzz testing of your endpoints
• Port scanning of your endpoints

One type of test that you can’t perform is any kind of Denial of Service (DoS) attack. This includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate or simulate any type of DoS attack.

Are you ready to get started with pen testing your applications hosted in Microsoft Azure? If so, then head on over to the Penetration Test Overview page (and click the Create a Testing Request button at the bottom of the page. You’ll also find more information on the pen testing terms and conditions and helpful links on how you can report security flaws related to Azure or any other Microsoft service.

Submit Azure Service Penetration Testing Notification

https://portal.msrc.microsoft.com/en-us/engage/pentest

Penetration Test Notification Process:

1. Complete this Penetration Testing Form
2. Acknowledgment from Azure Team 
   Once the form is submitted, the Azure Team will respond to the notification. In case any further information is required, the Azure Team will contact you by email using the information provided in the ‘Azure Service Penetration Testing Notification’ form.
3. Test Completion 
   You may only conduct those tests acknowledged by the Azure Team and subject to any conditions specified in the acknowledgment email. In case you require additional time (or a different time) to carry out the testing, you do not need to resubmit your test notification unless the testing plan has changed.