Participating in the Microsoft 365 Certification App Compliance Program for Microsoft Teams applications, Sharepoint Apps/Add-ins, Office Add-ins and WebApps requires performing a penetration test. In the Initial Document Submission a company needs to submit supporting documentation and evidence. Besides other topics, a Penetration Testing Report is required. A penetration testing report completed within the last 12 months. This report must include the pentest of the live environment that supports the deployment of the app along with any additional environment that supports the operation of the app. If segmentation controls are in place, these must also be validated.
The pentest requirements by Microsoft are:
- Every 12 months application and infrastructure pentesting must take place annually.
- These Tests are conducted by a reputable independent company.
- Remediation of identified critical and high-risk vulnerabilities must be completed within one month after the pentest report.
- The full external attack surface (IP Addresses, URLs, API Endpoints, etc.) must be included within the scope of penetration testing and must be documented within the penetration testing report.
- Web application penetration testing must include all typical vulnerability classes; for example, the most current OWASP Top 10 or SANS Top 25 CWE.
- Retesting of identified vulnerabilities by the penetration testing company is not required — remediation and self-review is sufficient however, adequate evidence to demonstrate sufficient remediation must be provided during the assessment. Retesting of identified vulnerabilities are nevertheless best practice in information security.
- Penetration testing reports will be reviewed to ensure there are no vulnerabilities that meet the following automatic failure criteria:
- Unsupported operating system
- Default, enumerable, or guessable administrative accounts.
- SQL injection risks
- Directory traversal (file path) vulnerabilities.
- Typical HTTP vulnerabilities, e.g., Header response splitting, Request smuggling, and Desync attacks
- Source code disclosure (including LFI)
- Any critical or high score as defined by the CVSS patch management guidelines.
- Any significant technical vulnerability which can be readily exploited to compromise a large amount of EUII or OUI