In a penetration test, skilled security professionals will simulate the behavior of a hacker to discover potential exploitable vulnerabilities. Uncovering potential vulnerabilities resulting from coding errors, configuration flaws, or other deployment weaknesses, penetration testing is known to find a broad variety of vulnerabilities.
To detect recently discovered or any previously known vulnerabilities or weaknesses in the Zensai platform, Zensai uses different types of penetration testing techniques. In this article, we will describe the penetration testing techniques employed by Zensai.
In this article
Dynamic Application Security Testing (DAST)
Veracode Dynamic Analysis (DAST) is used for automated penetration testing of Zensai applications and underlying web applications during the Quality Assurance (QA) process.
This test helps find exploitable vulnerabilities at an early stage and enables us to address potential issues before updates are pushed into staging and later into production.
Third party penetration testing
Penetration testing for Zensai is conducted at least annually by a Microsoft-appointed company.
The Zensai penetration test is limited to the Learn365, Perform365, and Engage365 applications and should be read in conjunction with the penetration testing carried out by Microsoft on the Azure platform. Read more about What is Microsoft 365 Certification?
The third party penetration testing helps improve the Zensai platform and guides actions in terms of improving security controls, introducing new security controls, and improving our security processes.
Executive Summary of the latest third party penetration test
Synopsis
It is our assessment, that the Learn365, Perform365, and Engage365 applications are implemented with a high degree of security and that they do not contain any known vulnerabilities, which can be leveraged to gain access to customer data or backend systems.
As the Learn365, Perform365, and Engage365 applications are highly integrated with the Microsoft Office 365 and Azure platforms, several key security features, including the authentication and authorization scheme, is inherited from this platform. The focus of the test was thus limited to the non Office 365 functionality available to the users of Learn365, Perform365, and Engage365 to ensure maximum coverage of the applications and less on the standard Microsoft platform itself.
It should be noted that Zensai was very responsive and observant during the test, which led to a better understanding of the setup and design choices. This also enabled a dialogue around some of the initial observations made during the test and whether these were in scope (Learn365, Perform365, and Engage365) or out of scope (standard Microsoft functionality)
Key Findings
No high severity vulnerabilities were observed during the test.