Running a Security Audit (aka Vulnerability Scan or Penetration Test) or Performance Test Against the SaaS API Management Product Suite

Document ID : KB000012933
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Customers may have a requirement or desire to run a security audit or performance test against the SaaS API Management product suite, including SaaS Gateway nodes and SaaS Portal nodes.

Question:

What action is required before running a security audit or performance test against the SaaS API Management product suite? How can one be performed?

Environment:
This would affect all SaaS-related products, including the SaaS API Gateway and SaaS API Portal.
Answer:
We no longer allow any penetration testing in our production environment. Please see also
https://www.ca.com/content/dam/ca/us/files/service-offering/saas-listing-for-ca-api-management.pdf
under "Usage Restrictions and Limitations"
Our SaaS Security Teams do ‘periodic’ penetration testing of our environments so we can meet SOC2 Type2 compliance, etc. and we can provide these reports to you if you need this type of information.
This is the actual contractually obligated requirement, so attempting to make any willfully destructive action to an environment including attempting to gain unauthorized access (definition of pen testing) is considering a breach of material item of our contract.

To request a solution audit report please visit
https://www.ca.com/us/why-ca/saas/compliance-audit-reports.html
Additional Information: