Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
One of the benefits of using Azure for application testing and deployment is that you can quickly get environments created. You don't have to worry about requisitioning, acquiring, and "racking and stacking" your own on-premises hardware.
Quickly creating environments is great but you still need to make sure you perform your normal security due diligence. One of the things you likely want to do is penetration test the applications you deploy in Azure. We don't perform penetration testing of your application for you, but we do understand that you want and need to perform testing on your own applications. That's a good thing, because when you enhance the security of your applications you help make the entire Azure ecosystem more secure.
Because such testing can be indistinguishable from a real attack, it is critical that customers conduct penetration testing only after obtaining approval in advance from Customer Support. Penetration testing must be conducted in accordance with our terms and conditions. Requests for penetration testing should be submitted with a minimum of 7-day advanced notice. To learn more or to initiate penetration testing, please download the Penetration Testing Approval Form, and then contact Customer Support.
Important
Requests for penetration testing should be submitted with a minimum of 7-day advanced notice,also customers must comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement.
Permitted testing
You can perform penetration testing on your own Azure-hosted applications and services without prior approval. This includes testing:
- Your endpoints hosted on Azure Virtual Machines
- Azure App Service applications (Web Apps, API Apps, Mobile Apps)
- Azure Functions and API endpoints
- Azure Websites
- Any other Azure services where you own or have explicit authorization to test the deployed resources
Standard tests you can perform include:
- Tests on your endpoints to uncover the Open Web Application Security Project (OWASP) top 10 vulnerabilities
- Dynamic Application Security Testing (DAST) of your web applications and APIs
- Fuzz testing of your endpoints
- Port scanning of your endpoints
Prohibited testing
One type of pen test that you can't perform is any kind of Denial of Service (DoS) attack. This test includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate, or simulate any type of DoS attack.
DDoS simulation testing
If you need to test your DDoS resilience, you can use Microsoft-approved simulation partners. These partners provide controlled DDoS simulation services that don't violate the penetration testing rules:
- BreakingPoint Cloud: A self-service traffic generator where your customers can generate traffic against DDoS Protection-enabled public endpoints for simulations.
- Red Button: Work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment.
- RedWolf: A self-service or guided DDoS testing provider with real-time control.
To learn more about these simulation partners, see testing with simulation partners.
Next steps
- Learn more about the Penetration Testing Rules of Engagement.