+

Run Vulnerability Assessment and Penetration Tests

If your company security policies require that you perform vulnerability and penetration testing against Anypoint Platform, request a Security Assessment before proceeding.

Request a Security Assessment

To request a Security Assessment:

  1. Navigate to https://security.secure.force.com/securityassessments.

  2. If you do not already have a Salesforce account, click Sign-in with SecureAssess.

  3. Select New User.

  4. Complete the request form with the details you want to register. For further information about completing the request form, see Complete the Security Assessment.

  5. Accept the agreement and wait for automated approval.

  6. If you do not receive the approval notice, check your Spam folder before contacting Salesforce.

    After you are approved, you can log in to the portal and submit your pen test request.

If you prefer, you can request approval manually by submitting your completed Security Assessment Request to securityassessment@salesforce.com.

Run Penetration and Vulnerability Tests

Because penetration testing could interfere with other tenants, MuleSoft allows penetration testing on your workers but not on other Anypoint Platform services.

Salesforce does not address any vulnerabilities found with custom development. You must validate and fix any findings with your custom development.

Prerequisites

Before initiating penetration testing:

  • Enable static IPs for the app.

    By default, CloudHub workers do not use static IP addresses, so you can’t test them because their IP addresses might change. For information about how to enable static IPs, see Static IPs Tab Settings.

  • Assign a security resource at your company to review and validate findings from the tests.

Steps

After your Security Assessment request is approved, follow these steps:

  1. Run the penetration tests.

    The Security Assessment Agreement includes restrictions and requirements for testing.

  2. Have your security resource use the following documents to identify common false positives or security issues related to settings:

    You must complete this step before following up with Salesforce.
  3. Send any outstanding security vulnerability findings to security@salesforce.com.

    Include the following information in your email:

    • Confirmation number for your Security Assessment approved by Salesforce

    • Summary of all findings and associated severity level of each finding

    • Detailed assessment report noting each finding

    • Steps to reproduce the vulnerability

    • All applicable HTTP requests and responses

    • Explanation of why the example is considered a finding

Reporting Security Vulnerabilities

To report security vulnerability findings, follow the Security Vulnerability Finding Submittal Guide. Security vulnerability reports that do not follow the required steps will be rejected.

Salesforce does not address any security vulnerabilities in the following categories:

  • Scan output from automated vulnerability scanning tools without any valid proof of concept

  • Security bugs without valid proof of concept

  • Vulnerabilities identified in old or deprecated versions of Mule runtime engine

  • Vulnerabilities introduced via code customization made by your company

  • Known security issues that do not pose any risk

Was this article helpful? Thanks for your feedback!
View on GitHub