September 5th, 2024

Microsoft 365 Certification control spotlight: Vulnerability scanning

Vulnerability scanning is a critical security control that defends against potential cyber threats. It is a systematic process that inspects an organization’s computer systems, networks, and web applications to identify and evaluate potential vulnerabilities that could be exploited by threat actors. Regular vulnerability assessments are mandated by industry standards and government regulations, such as the Payment Card Industry Data Security Standard (PCI DSS).

The longer a vulnerability remains unaddressed, the greater the risk of system compromise. Typically, attackers take about 166 days to exploit a system after vulnerabilities are identified. Once compromised, attackers had access to sensitive data for an average of 127 days.

Vulnerability scanning is a proactive measure that helps organizations detect weaknesses early, allowing them to remediate issues before they can be exploited, thus maintaining a robust security posture.

Microsoft 365 Certification validates vulnerability scanning

Microsoft 365 Certification reviews independent software vendors’ implementation of vulnerability scanning. It requires evidence that quarterly vulnerability scans are implemented covering both public footprints such as public IPs and URLs, and internal IP ranges. This ensures that no part of the organization’s technology stack is left unchecked.

Certification also mandates rescans to validate that any identified vulnerabilities have been remediated in accordance with the organization’s patch management policy. This demonstrates an organization’s commitment to not just identifying vulnerabilities but also taking prompt action to address them.

Auditors will confirm that vulnerability scanning includes the full scope of the environment, ensuring comprehensive security across all system components. This includes infrastructure, web applications, as well as serverless technology or Platform as a Service (PaaS) environments, confirming that the most recent and secure versions of libraries and dependencies are in use.

This control set is entirely automated using ACAT, The App Compliance Automation Tool. ACAT is a service within the Azure portal designed to ease the path to compliance for applications using Microsoft 365 customer data and published through Partner Center. ACAT also allows continuous compliance monitoring with customized daily reports.

Next steps

To learn more about certification and how it validates vulnerability scanning for your application, review the Microsoft 365 Certification vulnerability scanning control evidence requirements. To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.

Author

0 comments