Penetration testing, also known as pen testing, is the testing of an app, add-on, computer system, network, or web application to find security vulnerabilities that an attacker could exploit. It is a critical component of an application’s security and compliance posture, as a comprehensive pen testing program can help in prioritizing remediation steps necessary to prevent potential threats.

By simulating cyber-attacks, developers/ISVs can better understand the effectiveness of their current security measures and make informed decisions to enhance their security posture. As a proactive measure, regular pen tests combined with other security frameworks can provide an in-depth, defensive approach to app security. Providing assurance that applications are secure, and customer data is protected.

What is pen testing?

Pen testing evaluates the security of an application by simulating real-world cyber-attacks. It identifies and exploits vulnerabilities in the application’s code, configuration, and design, while providing recommendations for remediation. Pen testing is a manual process supported by automated tools. It can cover various aspects of the application and the app’s hosting environment, such as web interfaces, APIs, databases, network services, or mobile platforms.

Pen tests are different from vulnerability scans, which is a more automated and less comprehensive process of finding security flaws. Auditors will mimic the behaviors and techniques of actual hackers, to discover complex or hidden vulnerabilities that cannot be detected by scanners. Helping ISVs and developers understand the impact and probability of each vulnerability, allowing them to prioritize the risk based on their individual frameworks and ecosystems. Providing detailed reports and evidence of the findings.

Auditors will typically review the following during a penetration test:

• The live production environment that supports deployment of the app.
• Any connecting environments the app may call from/to.
• The full internal and external footprint of the app. (IP addresses, URLs, API endpoints, etc.)

Microsoft 365 Certification offers free penetration testing

Microsoft 365 Certification requires pen testing as a foundational part of the certification process. Auditors will use the results to set the evidence requirements needed for completion and certified apps and add-ins undergo annual pen tests to keep their certification current.

For Infrastructure as a Service (IaaS) or ISV hosted environments, both internal and external infrastructure and web application penetration tests are required. For Platform as a Service (PaaS/Serverless), the penetration test should be performed on the web application and the underlying supporting infrastructure.

By providing free, annual pen-testing as part of Microsoft 365 Certification, Microsoft gives ISVs the opportunity to validate the security of their application against Microsoft’s rigorous standards without incurring additional costs. Proving their apps have the frameworks necessary to protect customer data.

Next steps

Learn more about the Microsoft 365 Certification and how pen testing can help verify your app’s underlying security. To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.

Follow us on X (Twitter) / @Microsoft365Dev, on LinkedIn, and subscribe to our YouTube channel to stay up to date on the latest developer news and announcements.