Information for: DEVELOPERS   PARTNERS

Vulnerability scans

Acquia is responsible for managing the security architecture for the operating system and LAMP (Linux, Apache, MySQL, PHP) stack layers. The Acquia security team is responsible for reviewing, identifying, and categorizing reported vulnerabilities related to the Acquia platform. Acquia is not responsible for web application vulnerability scans and does not currently offer web application vulnerability scans to subscribers as a service.

Customer-initiated vulnerability scans

Important

Penetration testing requires dedicated hardware if your testing includes elevated traffic levels. This prevents potential outages for applications sharing the server that is undergoing testing.

Acquia allows vulnerability assessments (penetration testing) initiated by the subscriber and at the subscribers’s expense. Customer vulnerability scans may be run only against the environment that the subscriber owns to prevent the scan from impacting other subscribers’ applications. If your testing includes elevated traffic levels, you must use dedicated, not shared, hardware (such as load balancers). It may be possible to deploy dedicated hardware temporarily for the purpose of a vulnerability assessment.

Before the scans, Acquia requires the following information:

  • Five business days of notice
  • The source IP addresses of the vulnerability scanner
  • Peak bandwidth in Gigabits per second (Gbps)

Note

Amazon does not require or grant approval in advance of penetration testing.

To start this process, contact Acquia Support. Acquia’s monitoring may generate critical alerts if certain met conditions simulate a brute-force attack, port scanning, or a similar penetration testing technique. In that case, the Acquia Cloud platform may treat the test as a presumed attack and block it. For more information, see Load and stress testing.

Acquia does not grant subscriber access to run operating system level scans, either credentialed or non-credentialed. Subscribers can validate that Acquia is running periodic operating system level scans and mitigating any noted issues by reviewing Acquia’s third party audit reports, including SOC 1 and SOC 2.

As described in Drupal security, Acquia also offers an architecture-focused security audit service for Drupal as a professional service engagement.

If you have a question about your vulnerability scan results, contact Acquia support and include information about your testing package and CVE number(s) in the ticket.