Contact Free trial Login

Penetration Testing Policies

logo cloud active logo hybrid disabled logo server disabled logo rtf disabled

If you are deploying applications to Runtime Manager or APIs on API Manager and your company’s security policies require that you run penetration testing on them, there is a way for you to run these. Given that such tests can interfere with other tenants, penetration testing is only allowed on your own workers. It is not allowed for any other services in the Anypoint Platform.

External vulnerability scans, via an Approved Scanning Vendor (ASV), as described in section 11.2.2 of the PCI standard may be performed at will and do not require prior approval. Penetration testing as described by section 11.3.1 of the PCI standard does require prior approval from MuleSoft.

CloudHub Workers, by default, do not use static IPs and cannot be properly tested as their IPs may change. Please enable static IPs, as described in Static IPs.

To perform such testing, you must provide a written request 5 business days in advance to along with:

  • Start and end time of testing.

  • Hosts to include in the test.

  • Source IP address or range.

  • Contact information, including a phone number and email, for the individual or team conducting the test.

  • You agree to only audit CloudHub workers, and not audit any other platform services which are common to all tenants.

  • You agree not to audit shared workers.

  • Send an email to upon start and completion of tests.

  • Notify of any vulnerabilities found immediately.

  • You may only audit once a quarter.

After you submit your request, you receive a written authorization from the MuleSoft team, at which point you can proceed with testing according to your proposed plan.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub