In a penetration test, skilled security professionals will simulate the behavior of a hacker to discover potential exploitable vulnerabilities. Uncovering potential vulnerabilities resulting from coding errors, configuration flaws, or other deployment weaknesses, penetration testing is known to find a broad variety of vulnerabilities.
To detect recently discovered or any previously known vulnerabilities or weaknesses in the LMS365 platform ELEARNINFORCE uses different types of penetration testing techniques. In this article we will describe the penetration testing techniques employed by LMS365.
In this article
Dynamic Application Security Testing (DAST)
Veracode Dynamic Analysis (DAST) is used for automated penetration testing of the LMS365 application and underlying web applications during the Quality Assurance (QA) process.
This test helps find exploitable vulnerabilities at an early stage and enables us to address potential issues before updates are pushed into staging and later into production.
Third party penetration testing
Penetration testing for LMS365 is conducted at least annually by IFCR, an independent company based in Denmark.
The LMS365 penetration test is limited to the LMS365 application and should be read in conjunction with the penetration testing carried out by Microsoft on the Azure platform. Read more about What is Microsoft 365 Certification?
The third party penetration testing helps improve the LMS365 platform and guides actions in terms of improving security controls, introducing new security controls, and improving our security processes.
Executive Summary of the latest third party penetration test
It is our assessment, that the LMS365 application is implemented with a high degree of security and that it does not contain any known vulnerabilities, which can be leveraged to gain access to customer data or backend systems.
As the LMS365 application is highly integrated with the Microsoft Office 365 and Azure platforms, several key security features, including the authentication and authorization scheme, is inherited from this platform. The focus of the test was thus limited to the non Office 365 functionality available to the users of LMS365 to ensure maximum coverage of the LMS365 application and less on the standard Microsoft platform itself.
It should be noted that ELEARNINGFORCE was very responsive and observant during the test, which led to a better understanding of the setup and design choices. This also enabled a dialogue around some of the initial observations made during the test and whether these were in scope (LMS365) or out of scope (standard Microsoft functionality)
No high severity vulnerabilities were observed during the test.