Pen Testing FROM Azure Virtual Machines

imageDid you know that we support and hope that you’ll pen test your own applications and services you run in Azure?

Yes! We do – but you need to follow the rules.

All you need to do is read the rules of the road and let us know that you’re going to conduct pen testing exercises. Head on over to the Penetration testing overview page to learn what you need to do and then fill out the form.

But what about a related scenario where you want to use Azure Virtual Machines to launch your pen testing efforts? In this situation your pen testing tools and processes will source from Azure Virtual Machines and you’ll be pen testing resources on YOUR corporate network (or some other network that you own and for which you are responsible).

I got that question last week and wasn’t entirely sure of the answer. I had an assumption, but needed to test the assumption. Guess what? My assumption was wrong.

My assumption was that you needed to complete the pen testing form to pen test FROM an Azure Virtual Machine. The fact is that if you’re going to pen test resources that are NOT on Azure (and you have permission and authority to pen test those resources), you DO NOT need to fill out the form.

HOWEVER:

  • You cannot do DDoS testing or any other kind of DoS testing that would impact the Azure infrastructure (e.g., network floods).
  • If you’ve enabled Azure Security Center (and I hope you have), you’ll get a lot of alerts regarding suspicious or dangerous activity emanating from your resources in Azure

That’s it – let us know if you have any questions on this issue by asking questions in the comments section below.

Thanks!

Tom

Tom Shinder
Program Manager, Azure Security
@tshinder | Facebook | LinkedIn | Email | Web | Bing me! | GOOG me!