Customer security testing requests

Customer-requested testing of Edge Cloud

Apigee allows and even encourages our customers to scan or test their own endpoints in Apigee Edge Cloud. We ask for notification of the scan only so that we are aware of the scanning in the event the scanning causes an issue for your services. To notify Apigee of your planned testing, open a support ticket at least 1 business day prior to the start of testing and provide the following details:

  • Date of tests (start date and projected end date including time zone)
  • Name of person/company performing the testing
  • Contact info for person performing the testing
  • Source IP addresses of the testing
  • Target/Destination IPs and names of the systems being tested (API endpoint names)

Testing is specifically not prohibited in customer agreements. Approval emails will not be sent, nor will authorization letters be signed, because there is no prohibition against the customer testing their own end points and configurations in Edge Cloud.

We do ask (and agreements prohibit) that individual customers not scan the shared services, like the Management UI/APIs. To cover this, we provide our third-party application and penetration testing reports upon request.

Our third-party testing occurs at least annually, and every year we release a minimally redacted version of the report made available to any customer who requests it. These reports can be requested by opening a support ticket (for existing customers) or contacting your salesperson (for new customers). These testing reports are shared under an NDA already in place with customers and prospects.

If customers find vulnerabilities during their testing that they believe are because of the Apigee Edge platform itself, we ask them to submit this information to Apigee using the Reporting vulnerabilities in Edge process.

Google Scanning of Edge Public Cloud

Apigee scans the Apigee Edge public cloud weekly. However, these scans are for internal purposes and not shared with customers. The Google scans look at publicly exposed endpoints and the internal infrastructure. These scans are looking for missing patches, vulnerabilities, misconfigured hosts, poor TLS configurations, and so on. They are part of the Google commitment to "secure the platform."

If something was identified that directly related to a customer and was obviously incorrectly configured, we would notify the customer. But, since customers use both clear text and TLS configurations, and since some customers use Edge for public data while others use Edge for PCI or healthcare or other PII types of data, we are not in a position to determine what is always appropriate for all of our customers.

These Google scans may not be used by customers as fulfilling their own due diligence in testing their endpoints and verifying secure configurations such as are required by PCI and other industry or regulatory standards.

Customers are encouraged to perform their own testing of endpoints in Edge for security or compliance needs. See the Customer-requested testing of Edge Cloud section of this document for instructions.

Customer testing of Edge for Private Cloud or Edge Hybrid

Because Edge for Private Cloud and Edge Hybrid customers have Apigee software within their own networks, customers are permitted to test the software. There are no limitations on testing of systems or services that are managed by the customer directly.

For Hybrid customers, the API processing services are within the customer's network, while the management interface is in Apigee Cloud. Please review the Customer-requested testing of Edge Cloud section of this document for details on management interface testing restrictions and how to obtain a copy of the Apigee third-party test report.

Customer testing of developer portals hosted at Pantheon or Acquia

Customers can perform penetration testing on their portals hosted by Pantheon or Acquia. Apigee and Pantheon (or Acquia) need to be notified first, and customers can do this by opening a support ticket with Apigee.

Customers must provide the Support team with following details of the planned testing:

  • Date of tests (start date and projected end date including time zone)
  • Name of person/company performing the testing
  • Contact info for person performing the testing
  • Source IP addresses of the testing
  • Pantheon Site Names and URLs being tested