We perform daily infrastructure vulnerability scans, covering a.o. local operating systems, networks, servers (e.g. web, app, database), and services (e.g. messaging, authentication).
We periodically (at lease annually) have a renowned external 3rd party perform security testing according to OWASP standards on our environments. Whenever we have a major change, we have them perform interim testing. We have certain customers and partners that require their own security testing. We facilitate this. In case you require your own security testing we have a proces in place and a specific "Security testing agreement" and you can ask your account manager to start this proces.
We work according to Microsoft's Secure Development Life cycle principle. Security testing is part of our scrum DoD, and our developers are periodically trained on secure development lifecycle by the DevOps Institute. We use tooling like PRTG, application insights, sonar cloud, CredScan and Roslyn analyzers to limit vulnerabilities as much as possible. The 3rd party testing as well as the tooling we use for analyzing our code all include and work according to the OWASP top ten.