You're viewing Apigee Edge documentation.
Go to the
Apigee X documentation. info
Customer-requested testing of Edge Cloud
Apigee allows and even encourages our customers to scan or test their own endpoints in Apigee Edge Cloud. We ask for notification of the scan only so that we are aware of the scanning in the event the scanning causes an issue for your services. To notify Apigee of your planned testing, open a support ticket at least 1 business day prior to the start of testing and provide the following details:
- Date of tests (start date and projected end date including time zone)
- Name of person/company performing the testing
- Contact info for person performing the testing
- Source IP addresses of the testing
- Target/Destination IPs and names of the systems being tested (API endpoint names)
Testing is specifically not prohibited in customer agreements. Approval emails will not be sent, nor will authorization letters be signed, because there is no prohibition against the customer testing their own end points and configurations in Edge Cloud.
If customers find vulnerabilities during their testing that they believe are because of the Apigee Edge platform itself, we ask them to submit this information to Apigee using the Reporting vulnerabilities in Edge process.
Google Scanning of Edge Public Cloud
Apigee scans the Apigee Edge public cloud weekly. However, these scans are for internal purposes and not shared with customers. The Google scans look at publicly exposed endpoints and the internal infrastructure. These scans are looking for missing patches, vulnerabilities, misconfigured hosts, poor TLS configurations, and so on. They are part of the Google commitment to "secure the platform."
If something was identified that directly related to a customer and was obviously incorrectly configured, we would notify the customer. But, since customers use both clear text and TLS configurations, and since some customers use Edge for public data while others use Edge for PCI or healthcare or other PII types of data, we are not in a position to determine what is always appropriate for all of our customers.
These Google scans may not be used by customers as fulfilling their own due diligence in testing their endpoints and verifying secure configurations such as are required by PCI and other industry or regulatory standards.
Customers are encouraged to perform their own testing of endpoints in Edge for security or compliance needs. See the Customer-requested testing of Edge Cloud section of this document for instructions.
Customer testing of Edge for Private Cloud or Edge Hybrid
Because Edge for Private Cloud and Edge Hybrid customers have Apigee software within their own networks, customers are permitted to test the software. There are no limitations on testing of systems or services that are managed by the customer directly.
As a result, however, Apigee does not provide testing reports to Edge for Private Cloud customers. The reports from Apigee Public Cloud are not applicable to Private Cloud deployments. Apigee does perform malware scanning of Private Cloud code before it is released to customers.
For Hybrid customers, the API processing services are within the customer's network, while the management interface is in Apigee Cloud. Please review the Customer-requested testing of Edge Cloud section of this document for details on management interface testing restrictions.
Customer testing of Apigee-sponsored developer portals hosted at Pantheon or Acquia
This section applies only to Apigee-sponsored portals hosted on Drupal 7. Apigee-sponsored hosting of Drupal portals ends in early 2020. For more information, see Drupal 7 Developer Portal FAQ - End of Hosting.
Customers can perform penetration testing on their portals hosted by Pantheon or Acquia. Apigee and Pantheon (or Acquia) need to be notified first, and customers can do this by opening a support ticket with Apigee.
Customers must provide the Support team with following details of the planned testing:
- Date of tests (start date and projected end date including time zone)
- Name of person/company performing the testing
- Contact info for person performing the testing
- Source IP addresses of the testing
- Pantheon Site Names and URLs being tested