Acquia is responsible for managing the security architecture for the operating system and LAMP (Linux, Apache, MySQL, PHP) stack layers. The Acquia security team is responsible for reviewing, identifying, and categorizing reported vulnerabilities related to the Acquia platform. Acquia is not responsible for web application vulnerability scans and does not offer web application vulnerability scans to subscribers as a service.
Customer-initiated vulnerability scans
Acquia allows vulnerability assessments (penetration testing) initiated by the subscriber and at the subscribers’s expense. Subscriber vulnerability scans may be run only against the environment the subscriber owns to prevent the scan from impacting other subscribers’ applications. If your testing includes elevated traffic levels, you must use dedicated and not shared infrastructure, such as load balancers. It might be possible to deploy dedicated infrastructure temporarily for a vulnerability assessment.
Before the scans, Acquia requires the following information:
- Five business days of notice
- The source IP addresses of the vulnerability scanner
- Peak bandwidth in Gigabits per second (Gbps)
- Date and time of the vulnerability scan, preferably in UTC
To start this process, create a Support ticket. Acquia’s monitoring may generate critical alerts if certain met conditions simulate a brute-force attack, port scanning, or a similar penetration testing technique. In that case, the Cloud Platform interface may treat the test as a presumed attack and block it. For more information, see Load testing on Cloud Platform.
Acquia does not grant subscriber access to run operating system level scans, either credentialed or non-credentialed. Subscribers can confirm Acquia is running periodic operating system level scans and mitigating any noted issues by reviewing Acquia’s third party audit reports, including SOC 1 and SOC 2.
As described in Drupal security, Acquia also offers an architecture-focused security audit service for Drupal as a professional service engagement.
If you have a question about your vulnerability scan results, create a Support ticket and include information about your testing package and CVE number(s) in the ticket.