Penetration Testing & Threat Modelling
Security Assessment for Integration Systems
Introduction
Security assessment through penetration testing and threat modelling is essential for identifying vulnerabilities in your integration architecture before attackers do. Azure integration systems expose APIs, process messages, and connect to multiple external systems—each point of integration is a potential attack vector. This guide covers how to systematically assess and improve the security posture of your integration workloads.
This comprehensive guide covers:
- Threat modelling — Identifying system risks
- Penetration testing — Simulating real attacks
- Azure integration testing — Service-specific testing
- Remediation — Fixing identified vulnerabilities
- Continuous security — Ongoing assessment
Threat Modelling
STRIDE Methodology
┌─────────────────────────────────────────────────────────────────────┐
│ STRIDE THREAT CATEGORIES │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ S - Spoofing │
│ ───────────── │
│ Pretending to be someone else │
│ Example: Stolen API keys, token reuse │
│ Mitigation: Strong authentication, MFA │
│ │
│ T - Tampering │
│ ───────────── │
│ Modifying data or code │
│ Example: Message injection, config modification │
│ Mitigation: Integrity checks, signed messages │
│ │
│ R - Repudiation │
│ ───────────── │
│ Denying actions occurred │
│ Example: No logs of sensitive operation │
│ Mitigation: Comprehensive logging, digital signatures │
│ │
│ I - Information Disclosure │
│ ────────────────────────── │
│ Exposing information to unauthorized parties │
│ Example: Verbose errors, data in transit │
│ Mitigation: Encryption, access control │
│ │
│ D - Denial of Service │
│ ────────────────────── │
│ Making system unavailable │
│ Example: Queue flooding, resource exhaustion │
│ Mitigation: Rate limiting, quotas, resilient architecture │
│ │
│ E - Elevation of Privilege │
│ ─────────────────────────── │
│ Gaining capabilities beyond authorized limits │
│ Example: Role escalation, admin access │
│ Mitigation: RBAC, least privilege │
│ │
└─────────────────────────────────────────────────────────────────────┘
Integration System Threat Model
{
"threatModel": {
"system": "Order Processing Integration",
"components": [
{
"name": "API Gateway",
"type": "Entry Point",
"threats": [
{"category": "Spoofing", "description": "API key theft"},
{"category": "DoS", "description": "Request flooding"},
{"category": "InfoDisclosure", "description": "Sensitive headers exposed"}
]
},
{
"name": "Azure Functions",
"type": "Processing",
"threats": [
{"category": "Tampering", "description": "Code injection"},
{"category": "Elevation", "description": "Privilege escalation via function"},
{"category": "Repudiation", "description": "No logging of operations"}
]
},
{
"name": "Service Bus",
"type": "Message Broker",
"threats": [
{"category": "Tampering", "description": "Message interception"},
{"category": "Spoofing", "description": "Unauthorized producer"},
{"category": "DoS", "description": "Queue exhaustion"}
]
}
]
}
}
Penetration Testing
Testing Scope
{
"penTestScope": {
"inScope": [
"api.company.com (API Management)",
"*.azurewebsites.net (Function Apps)",
"*.servicebus.windows.net (Service Bus)",
"Integration APIs and endpoints",
"Authentication mechanisms"
],
"outOfScope": [
"Physical security",
"Social engineering",
"DDoS from external sources",
"Third-party services (without authorization)"
],
"rules": [
"No destructive testing",
"No data exfiltration",
"Report immediately if customer data found",
"Stop if system becomes unstable"
]
}
}
Integration Attack Vectors
┌─────────────────────────────────────────────────────────────────────┐
│ ATTACK VECTORS FOR INTEGRATION │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ API MANAGEMENT │
│ ├── Bypass authentication │
│ ├── SQL injection in API parameters │
│ ├── Excessive data exposure │
│ ├── Rate limiting bypass │
│ ├── OAuth flow exploitation │
│ └── API key harvesting │
│ │
│ MESSAGE SYSTEMS (Service Bus, Event Hub) │
│ ├── Message injection │
│ ├── Queue/topic enumeration │
│ ├── Dead letter queue access │
│ ├── Subscription hijacking │
│ └── Consumer impersonation │
│ │
│ FUNCTIONS & LOGIC APPS │
│ ├── Code injection │
│ ├── Dependency exploitation │
│ ├── Managed identity abuse │
│ ├── Trigger manipulation │
│ └── Output binding exfiltration │
│ │
│ DATA STORES │
│ ├── Blob storage unauthenticated access │
│ ├── Cosmos DB query injection │
│ └── SQL injection via integration APIs │
│ │
└─────────────────────────────────────────────────────────────────────┘
Azure-Specific Testing
Service Bus Testing
# Enumerate queues (requires some access)
az servicebus queue list \
--namespace-name mynamespace
# Test message injection
# Using Service Bus Explorer or code:
python3 -c "
from azure.servicebus import ServiceBusClient
client = ServiceBusClient.from_connection_string('conn_string')
sender = client.get_queue_sender('test-queue')
msg = ServiceBusMessage('test<script>alert(1)</script>')
sender.send(msg)
"
# Check for sensitive data in messages
# Look for PII, credentials in queue messages
API Management Testing
# Test for authentication bypass
curl -X GET https://api.company.com/api/v1/orders -H "Authorization: Bearer invalid"
# Test for excessive data exposure
curl -X GET "https://api.company.com/api/v1/orders?$top=10000"
# Test for SQL injection
curl -X GET "https://api.company.com/api/v1/orders?id=' OR 1=1--"
# Test rate limiting
for i in {1..1000}; do curl -I https://api.company.com/api/v1/orders; done
# Test for verbose errors
curl -X POST https://api.company.com/api/v1/orders \
-H "Content-Type: application/json" \
-d '{"invalid": "data"}'
Function App Testing
# Test for command injection in query params
curl "https://function.azurewebsites.net/api/test?cmd=$(whoami)"
# Test managed identity token endpoint
curl -H "Metadata: true" \
"http://169.254.169.254/metadata/identity/oauth2/token?resource=https://vault.azure.net"
# Test for sensitive data exposure
curl "https://function.azurewebsites.net/api/config"
# Test for broken authentication
curl -X POST "https://function.azurewebsites.net/api/admin" \
--header "x-functions-key: invalid_key"
Remediation
Common Findings and Fixes
{
"findings": [
{
"severity": "Critical",
"title": "API Key Exposed in Source",
"description": "API key found in public repository",
"remediation": [
"Rotate exposed keys immediately",
"Use Azure Key Vault for secrets",
"Enable GitHub secret scanning",
"Implement pre-commit hooks"
]
},
{
"severity": "High",
"title": "No Rate Limiting on API",
"description": "API vulnerable to abuse",
"remediation": [
"Configure rate limiting in APIM",
"Implement quota policies",
"Add throttling rules"
]
},
{
"severity": "Medium",
"title": "Verbose Error Messages",
"description": "Detailed stack traces exposed",
"remediation": [
"Configure custom error pages",
"Enable application insights",
"Strip stack traces from responses"
]
}
]
}
Continuous Security
Security Testing Pipeline
name: Security Testing Pipeline
on:
push:
branches: [main, develop]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
dependency-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run dependency check
run: |
npm audit --json > audit.json || true
- name: Upload results
uses: actions/upload-artifact@v3
with:
name: dependency-scan
path: audit.json
secret-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan for secrets
run: |
git-secrets --scan || true
dynamic-scan:
needs: dependency-scan
runs-on: ubuntu-latest
steps:
- name: OWASP ZAP Scan
uses: zaproxy/action-scan@master
with:
target: 'https://api.company.com'
report:
needs: [secret-scan, dynamic-scan]
runs-on: ubuntu-latest
steps:
- name: Generate security report
run: |
echo "# Security Scan Report" >> $GITHUB_STEP_SUMMARY
Best Practices
Testing Checklist
| Practice | Description |
|---|---|
| Regular testing | Quarterly minimum for production |
| Document scope | Clear boundaries and rules |
| Use multiple approaches | Combine automated and manual |
| Test external integrations | Partner APIs, webhooks |
| Simulate real attackers | Think like adversary |
| Remediate findings | Track and fix vulnerabilities |
Post-Assessment
┌─────────────────────────────────────────────────────────────────────┐
│ POST-ASSESSMENT ACTIONS │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Triage findings by severity │
│ 2. Create tickets for each finding │
│ 3. Implement fixes (prioritize critical) │
│ 4. Verify fixes with retesting │
│ 5. Update threat model │
│ 6. Share lessons learned with team │
│ 7. Schedule next assessment │
│ │
└─────────────────────────────────────────────────────────────────────┘
Related Topics
- Zero Trust Networking — Security architecture
- Defender for Cloud — Threat protection
- Compliance as Code — Policy enforcement
Azure Integration Hub - Architect Level Security Architecture & Zero Trust