Penetration Tests

We have some standard rules that we ask all customers to adhere to when running pen tests.

Please be aware that the environment is a production one shared with other customers and as such we request that your proceeding are not:

• destructive in intent
  • do not perform any form of denial of service
  • No tests should be designed to destroy data or the site
• stress testing such as DDOS simulations
• attempting any social engineering or similar
• sharing system login credentials
• accessing unnecessary, excessive or significant amounts of data
• using high-intensity invasive or destructive scanning tools to find vulnerabilities
• modifying data in the organisation's systems or services
• disclosing publicly the results of the test

Customers are also required to provide VerseOne the following information in preparation for activities start:

• raise VerseOne support request, with a minimum of 1 week notice before starting activities
• start AND end date/time (specify if is executed during normal working hours OR 24x7)
• Website and Intranet URL in scope for testing
• source IP address(es) of their Pentest platform
  • We reserve the right to block the IPs if the environment becomes unstable
• contact person and method for any emergency communication , if different from the ticket requestor

VerseOne will maintain open the support ticket being raised by customer, until the vulnerability scan / penetration test has been completed — should it be necessary any action or intervention either sides during execution — and then close it.

Should you need to share Penetration Test report finding with VerseOne , please use the Submit Penetration Test Report Form to upload the results.

Once the report has been uploaded , you will be assigned a reference number and new support ticket is generated, which we will followup for any related mitigation activities.

As far as VerseOne is concerned, your Comms Teams can continue to update their content via the VerseOne DXP application during the Penetration Test

Kindly note that :

• data traffic is SSL/TLS-encrypted using SHA-256 in transit;
• data is encrypted at rest using Microsoft Azure's AES-256 cipher and managed by a FIPS 140-2 cryptography module;
• data is not emailed at any point;
• data is only accessible by authorised VerseOne technicians.
• as a general rule, there is no IP whitelist in place for our customers' public websites (IPs or Network Ranges that have been blocked as active Denial of Service attackers are blacklisted);
• we do ask for the IP addresses of Penetration Test organisations so that we can be aware of and monitor any unusual activity on our network, e.g. destructive tests or ramping of our Rate Limiting systems;
• VerseOne maintains a shared Managed Cloud Services environment, with a number of defences at the boundary (Load Balancer and paired Web Application Firewalls (WAF)) so we will not remove or loosen our WAF defences to accommodate Penetration Tests

Other notes

VerseOne performs a Penetration Test — carried out by an external, independent CREST-accredited third party — on the VerseOne DXP Admin Panel each year (around May / June, by default). Any vulnerabilities being flagged, are patched as part of the normal release cycle.

As such, we recommend customers include only the VerseOne DXP Admin Panel Login page within the scope of their Penetration Tests, and focus their main resources on comprehensive testing of their front-end sites (websites / intranets / etc.).

SQL Injection attacks are welcome but must not include code that is deliberately destructive so this is allowed:

http://someurl/?id=123;select * from users;

… whereas this is deliberately destructive so is not:

http://someurl/?id=123;delete from users;

Once your Penetration Test has been conducted, you can the Submit Penetration Test Report Form to upload the results.