none
PCI DSS vulnerability scans RRS feed

  • Question

  • Our Azure hosted application need to go through a PCI DSS vulnerability scan and I am not finding much information on whether there are any complications in an Azure environment. We are looking to attain level 3 compliance, possibly level 2.

    Since the vulnerability scan may look like an attack on our application and Azure in general I am wondering if the Windows Azure infrastructure poses any problem or complications. Can anyone speak to this issue in general and whether there is anything I need to do before hand? I'm not concerned about my application specifically I am talking about the fact that it is hosted in Azure. For example if my app were hosted on-premise I might normally inform my internal IT group about this scan before it happens so they are not surprised if alarms in their monitoring systems get triggered. Is there any similar warning I need to give Azure before hand?

    Obviously I am a newbie in this PCI DSS space so forgive me if I am not asking the right questions. I am open to any other general feedback you might have on this topic.

    Thursday, January 6, 2011 9:44 PM

Answers

  • Hi,

    There are no requirements to notify Microsoft if you are doing vulnerability testing within Windows Azure and you shouldn't encounter any issues with the Azure platform.  The only things to be aware of is if the vulnerability testing stresses your site to the point that your number of role instances is insufficient to keep up with the traffic, or if you are accessing another resource such as Blob storage or SQL Azure that may be throttled due to too much traffic.  But as long as your code is setup to retry after throttles then there should be no problem.

    Please note however that the Azure platform itself is not a PCI Validated Service Provider.  This may or may not affect your application's compliance, but is something you should be aware of.


    bill boyce
    Friday, January 7, 2011 8:52 PM

All replies

  • Hi Curious George,

    I understand that your question is whether PCI DSS vulnerability scan is compliant with azure environment.

    I am currently looking into this issue and will give you an update as soon as possible.
     
    Thank you for your understanding and support.


    Mog Liang
    Friday, January 7, 2011 9:02 AM
  • Hi,

    There are no requirements to notify Microsoft if you are doing vulnerability testing within Windows Azure and you shouldn't encounter any issues with the Azure platform.  The only things to be aware of is if the vulnerability testing stresses your site to the point that your number of role instances is insufficient to keep up with the traffic, or if you are accessing another resource such as Blob storage or SQL Azure that may be throttled due to too much traffic.  But as long as your code is setup to retry after throttles then there should be no problem.

    Please note however that the Azure platform itself is not a PCI Validated Service Provider.  This may or may not affect your application's compliance, but is something you should be aware of.


    bill boyce
    Friday, January 7, 2011 8:52 PM
  • Thanks Bill. That is exactly the kind of response I was looking for and about what I was expecting. We are using SQL Azure so it will be interesting to see if we get throttled and how our app responds.

    Thank you for the well thought out response.

    Saturday, January 8, 2011 3:03 AM
  • Please note that you need to notify Windows Azure customer support if you intend to run vulnerability scanning or penetration testing on your application deployed to Windows Azure.  The process is simple and it is described on the Windows Azure Trust Center.

    Wednesday, November 21, 2012 1:11 AM
  • Please note that you need to notify Windows Azure customer support if you intend to run vulnerability scanning or penetration testing on your application deployed to Windows Azure.  The process is simple and it is described on the Windows Azure Trust Center.

    Are you sure of this?  We have automatic scans every 2 days on our Azure web site for PCI compliance and have had no issues.

    Looking at the Trust Center's pen test form, it looks like they're worried about DoS attacks and human pen testing.  The test that our PCI scan performs is done by Nessus and is just like a normal web client connecting to our web app.

    • Edited by jank__ Wednesday, November 21, 2012 3:26 AM more detail
    Wednesday, November 21, 2012 3:05 AM
  • jank__,

    If you don't mind sharing, what scanning software do you use?

    Thanks.

    Thursday, January 10, 2013 6:28 PM
  • No problem - we use Comodo's HackerGuardian PCI scanning product, which seems to use Nessus internally for its scans.
    Thursday, January 10, 2013 10:45 PM
  • DDoS attacks are not permitted.  For penetration testing conducted using Nessus or any other tool of your choice, you need to notify Windows Azure customer support and get their approval.
    Saturday, March 23, 2013 2:48 AM