Question
- What is F5 Silverline's Policy on Pen-testing?
- Application Scanning?
- Load Test?
Environment
- Silverline WAF
- Proxy/Proxies
- WAF Policy
Answer
-
Contractual Provisions:
This policy document augments the posted F5 Silverline Acceptable Use Policy (AUP), located as document 49604758 via https://my.f5.com/manage/s/article/K49604758
The intent of the AUP is to prevent customers from performing actions which may interfere with the stability or Silverline services, security compliance of Silverline services, or adherence to applicable law by F5 Networks (F5).
Given the nature of the services provided by F5 via the Silverline managed services, it is understood that specific clarifications of the AUP are required for customers to assess the efficacy of the provided security services. This document is intended to provide additional clarification and processes for customers to test Silverline security services. -
Acceptable Testing:
-
Customers may initiate and perform, at their own effort and expense, the following Silverline security service testing:
- Application Penetration Testing of the applications configured for Web Application Firewall protection by F5 Silverline services as identified by the IP address or DNS name configured within the Silverline customer portal
- Application Penetration Testing of the applications configured for Web Application Firewall protection by F5 Silverline services as identified by the IP address or DNS name configured within the Silverline customer portal
-
-
Unacceptable Testing:
-
Customers may not perform Application Penetration/Load Testing against any F5 managed IP address or application outside of the scope of those configured for their customer account.
-
For the avoidance of doubt, this includes the F5 Silverline IP address space not allocated or provisioned for the customer and the Silverline customer web-portal.
-
-
-
Notification Procedure:
Any scheduled testing to be performed by the customer will be conveyed via electronic mail to support@f5silverline.com with at least seven (7) days’ prior notice to F5 Silverline support.
-
The notice must include the following:
-
Nature of testing to be performed
-
Target Endpoint(s) of the test, e.g. IP address, IP subnet, application FQDN.
-
Time and duration of the test
-
Expected traffic volume, in:
- HTTP Req/s for testing or DDoS simulation against HTTP(s) endpoints
- Network Mbps for testing or DDoS simulation against L3/L4 endpoints or subnets
-
-
-
Notification Acceptance:
-
F5 reserves the right to request that any customer-initiated testing schedule be adjusted to accommodate F5 scheduled changes, maintenance, or other planned or unplanned activities. F5 will take reasonable effort to communicate the request to modify scheduled testing to the customer as soon as possible. F5 will work in good faith with the customer to adjust the scope of the testing if F5 determines that excessive risk will be applied to the Silverline services during testing.
-
-
Testing Completion Notification:
-
The Customer will notify F5 Silverline via electronic mail or phone call when customer-initiated testing has completed.
-
-
Testing Publication:
In the interest of improving the delivered services to F5 customers, F5 requests that Customers share the results of any testing with F5. F5 prohibits any customer from publishing the results of any testing as per AUP 1.2(v).