From be8e825e24f93826b78d88ea2aad97976ab3048f Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Thu, 21 Nov 2024 17:00:34 -0500 Subject: [PATCH 1/3] Add load testing, and generally improve --- _docs/compliance/pentest.md | 42 ++++++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/_docs/compliance/pentest.md b/_docs/compliance/pentest.md index 51fa695d7..bb4be6987 100644 --- a/_docs/compliance/pentest.md +++ b/_docs/compliance/pentest.md @@ -5,33 +5,50 @@ sidenav: true title: Penetration and load test notification --- -If you, or a third party acting on your behalf, plan to perform a penetration test or significant load testing on your cloud.gov Platform applications, or cloud.gov Pages sites, please send the following information to [cloud.gov support]({{ site.baseurl }}/docs/help/) ahead of your planned test: +If you, or an authorized third party, plan to perform a penetration test or load test of your system on Cloud.gov, please send the following to [cloud.gov support]({{ site.baseurl }}/docs/help/): ```text -* Web applications or website under test: Examples would include: +* System under test: + (Examples would include: _webapp_.agency.gov or _webapp_.app.cloud.gov - _site_.agency.gov or preview_url.pages.cloud.gov + _site_.agency.gov or preview_url.pages.cloud.gov) * Testing organization and contact/liaison information: * Source IPs or IP ranges (for testers and their tools): * Expected start date, (or "starting immediately"): * Expected end date: +* Expected maximum load requests per minute (for load testing only): * Acknowledgement that you are abiding by the terms at https://cloud.gov/docs/compliance/pentest/ ``` -This notification is only necessary for in-depth security testing or significant load-testing, which is a common step in agency ATO processes for customer systems and in the software development lifecycle. You don't need an approval, and cloud.gov doesn't provide approvals. Simply sending the notification is sufficient. You can always run routine automated vulnerability scans on your own applications without special notification. - -When arranging a security assessment or penetration test, the system under test is one of: +The "system under test" is one of: * cloud.gov Platform: _your_ application at _application-name_.app.cloud.gov, or your external domain (e.g. https://agency.gov) * cloud.gov Pages: _your_ website at your preview URL (at `sites.pages.cloud.gov`), or your external domain (e.g. `_site_.agency.gov`) -For cloud.gov Platform systems, you can also conduct testing of: +"Maximum load" must be limited to maximum reasonably expected load, e.g., +"What might we expect the hour before filing deadline?" or "What if 'major pop star' +links to us and 5% of her followers click through?"[^1]. + +You don't need an approval, and cloud.gov doesn't provide approvals. Simply sending the notification is sufficient. + +You can always run routine automated vulnerability scans on your own applications without special notification. + +## Testing considerations + +**Pentesting**: When testing cloud.gov Platform systems, you can also conduct testing of: * Your application instance via `cf ssh` * Your [brokered services]( {{ site.baseurl }}/docs/services/intro/) either directly or via `cf ssh` or `ssh` proxy. +**Infrastructure changes**: We do NOT make infrastructure changes to accommodate any tests, since you're to test under realistic conditions. Load testing from a single IP instance will likely be rate-limited, and not reflect performance under realistic conditions. + +## Exclusions + +All cloud.gov products are under regular testing by our team, and by third-party assessors, as part of our Continuous Monitoring plan. FedRAMP® [makes the results available]({{ site.baseurl }}/docs/overview/fedramp-tracker/#start-the-ato-process) to authorized users. +**Additional testing by your team is not warranted nor authorized.** + You are not permitted to attempt any scanning or reconnaissance from your instances or brokered services. -You are not permitted to test the cloud.gov infrastructure, which comprises +You are not permitted to test the Cloud.gov infrastructure, which comprises the following sites and web applications: ```text @@ -41,10 +58,11 @@ the following sites and web applications: https://*.fr.cloud.gov ``` -(If you have a legacy application in the `.fr.cloud.gov` subdomain, please contact [support]( {{ site.baseur }}/contact/#support-for-people-who-use-cloudgov).) - Your assessment must not target other cloud.gov customers, nor perform or simulate denial of service attacks or otherwise violate the [Amazon AWS testing policy](https://aws.amazon.com/security/penetration-testing/). -If you suspect that you have uncovered a vulnerability in any of cloud.gov's products, please reference our [security.txt](https://cloud.gov/.well-known/security.txt) +## Notifications -All cloud.gov products are under regular testing by our team, and by third-party assessors, as part of our Continuous Monitoring plan. FedRAMP® [makes the results available]({{ site.baseurl }}/docs/overview/fedramp-tracker/#start-the-ato-process) to authorized users. +If you suspect that you have uncovered a vulnerability in any of Cloud.gov's products, please reference our [security.txt](https://cloud.gov/.well-known/security.txt) + + +[^1]: This has happened with Cloud.gov applications, and it was fine. Tip: use [our CDN service]({{ site.base_url }}/docs/services/external-domain-service/#domain-with-cdn-plan). From e2bf1437d37c894fd34465f43f59aca15432ec98 Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Thu, 21 Nov 2024 17:10:54 -0500 Subject: [PATCH 2/3] Remove liaison, fix capital Cs --- _docs/compliance/pentest.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/_docs/compliance/pentest.md b/_docs/compliance/pentest.md index bb4be6987..0001c2886 100644 --- a/_docs/compliance/pentest.md +++ b/_docs/compliance/pentest.md @@ -5,14 +5,14 @@ sidenav: true title: Penetration and load test notification --- -If you, or an authorized third party, plan to perform a penetration test or load test of your system on Cloud.gov, please send the following to [cloud.gov support]({{ site.baseurl }}/docs/help/): +If you, or an authorized third party, plan to perform a penetration test or load test of your system on Cloud.gov, please send the following to [Cloud.gov support]({{ site.baseurl }}/docs/help/): ```text * System under test: (Examples would include: _webapp_.agency.gov or _webapp_.app.cloud.gov _site_.agency.gov or preview_url.pages.cloud.gov) -* Testing organization and contact/liaison information: +* Testing organization and contact information: * Source IPs or IP ranges (for testers and their tools): * Expected start date, (or "starting immediately"): * Expected end date: @@ -22,20 +22,20 @@ If you, or an authorized third party, plan to perform a penetration test or load The "system under test" is one of: -* cloud.gov Platform: _your_ application at _application-name_.app.cloud.gov, or your external domain (e.g. https://agency.gov) -* cloud.gov Pages: _your_ website at your preview URL (at `sites.pages.cloud.gov`), or your external domain (e.g. `_site_.agency.gov`) +* Cloud.gov Platform: _your_ application at _application-name_.app.cloud.gov, or your external domain (e.g. https://agency.gov) +* Cloud.gov Pages: _your_ website at your preview URL (at `sites.pages.cloud.gov`), or your external domain (e.g. `_site_.agency.gov`) "Maximum load" must be limited to maximum reasonably expected load, e.g., "What might we expect the hour before filing deadline?" or "What if 'major pop star' links to us and 5% of her followers click through?"[^1]. -You don't need an approval, and cloud.gov doesn't provide approvals. Simply sending the notification is sufficient. +You don't need an approval, and Cloud.gov doesn't provide approvals. Simply sending the notification is sufficient. You can always run routine automated vulnerability scans on your own applications without special notification. ## Testing considerations -**Pentesting**: When testing cloud.gov Platform systems, you can also conduct testing of: +**Pentesting**: When testing Cloud.gov Platform systems, you can also conduct testing of: * Your application instance via `cf ssh` * Your [brokered services]( {{ site.baseurl }}/docs/services/intro/) either directly or via `cf ssh` or `ssh` proxy. @@ -43,7 +43,7 @@ You can always run routine automated vulnerability scans on your own application ## Exclusions -All cloud.gov products are under regular testing by our team, and by third-party assessors, as part of our Continuous Monitoring plan. FedRAMP® [makes the results available]({{ site.baseurl }}/docs/overview/fedramp-tracker/#start-the-ato-process) to authorized users. +All Cloud.gov products are under regular testing by our team, and by third-party assessors, as part of our Continuous Monitoring plan. FedRAMP® [makes the results available]({{ site.baseurl }}/docs/overview/fedramp-tracker/#start-the-ato-process) to authorized users. **Additional testing by your team is not warranted nor authorized.** You are not permitted to attempt any scanning or reconnaissance from your instances or brokered services. @@ -58,7 +58,7 @@ the following sites and web applications: https://*.fr.cloud.gov ``` -Your assessment must not target other cloud.gov customers, nor perform or simulate denial of service attacks or otherwise violate the [Amazon AWS testing policy](https://aws.amazon.com/security/penetration-testing/). +Your assessment must not target other Cloud.gov customers, nor perform or simulate denial of service attacks or otherwise violate the [Amazon AWS testing policy](https://aws.amazon.com/security/penetration-testing/). ## Notifications From 887bcbf38a7887c7fc78d020961807790f84a4ef Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Mon, 3 Feb 2025 17:01:49 -0500 Subject: [PATCH 3/3] Fix scenarios to be more generic --- _docs/compliance/pentest.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/_docs/compliance/pentest.md b/_docs/compliance/pentest.md index 0001c2886..d16be4b28 100644 --- a/_docs/compliance/pentest.md +++ b/_docs/compliance/pentest.md @@ -25,9 +25,9 @@ The "system under test" is one of: * Cloud.gov Platform: _your_ application at _application-name_.app.cloud.gov, or your external domain (e.g. https://agency.gov) * Cloud.gov Pages: _your_ website at your preview URL (at `sites.pages.cloud.gov`), or your external domain (e.g. `_site_.agency.gov`) -"Maximum load" must be limited to maximum reasonably expected load, e.g., -"What might we expect the hour before filing deadline?" or "What if 'major pop star' -links to us and 5% of her followers click through?"[^1]. +"Maximum load" must be limited to maximum reasonably expected load, e.g., +"What might we expect the hour before filing deadline?" or "What if +we trend on social media after we launch?" You don't need an approval, and Cloud.gov doesn't provide approvals. Simply sending the notification is sufficient. @@ -62,7 +62,4 @@ Your assessment must not target other Cloud.gov customers, nor perform or simula ## Notifications -If you suspect that you have uncovered a vulnerability in any of Cloud.gov's products, please reference our [security.txt](https://cloud.gov/.well-known/security.txt) - - -[^1]: This has happened with Cloud.gov applications, and it was fine. Tip: use [our CDN service]({{ site.base_url }}/docs/services/external-domain-service/#domain-with-cdn-plan). +If you suspect that you have uncovered a vulnerability in any of Cloud.gov's products, please reference our [security.txt](https://cloud.gov/.well-known/security.txt) \ No newline at end of file