Nav

Penetration Testing Policies

logo cloud active logo hybrid disabled logo server disabled logo pcf disabled

If you are deploying applications to Runtime Manager or APIs on API Manager and your company’s security policies require that you run penetration testing on them, there is a way for you to run these. Given that such tests can interfere with other tenants, penetration testing is only allowed on your own workers. It is not allowed for any other services in the Anypoint Platform.

External vulnerability scans, via an Approved Scanning Vendor (ASV), as described in section 11.2.2 of the PCI standard may be performed at will and do not require prior approval. Penetration testing as described by section 11.3.1 of the PCI standard does require prior approval from MuleSoft.

CloudHub Workers, by default, do not use static IPs and cannot be properly tested as their IPs may change. Please enable static IPs, as described in Deploying to CloudHub.

To perform such testing, you must provide a written request 5 business days in advance to security@mulesoft.com along with:

  • Start and end time of testing.

  • Hosts to include in the test.

  • Source IP address or range.

  • Contact information, including a phone number and email, for the individual or team conducting the test.

  • You agree to only audit CloudHub workers, and not audit any other platform services which are common to all tenants.

  • You agree not to audit shared workers.

  • Send an email to security@mulesoft.com upon start and completion of tests.

  • Notify security@mulesoft.com of any vulnerabilities found immediately.

  • You may only audit once a quarter.

After you submit your request, you receive a written authorization from of the MuleSoft team, at which point you may proceed with testing according to your proposed plan.

In this topic: