The scope of activities for manual penetration Assessments are as follows:
- Assess the extent of access or impact to the Customer’s systems by attempting to exploit identified vulnerabilities to gain access to confidential, proprietary or other data identified per the scoping questionnaire completed by Customer prior to the Assessment.
- Rank vulnerabilities using the Common Vulnerability Scoring System (CVSS).
- Perform internal Veracode review of the Assessment Report.
- Deliver a single unified view of the manual penetration Assessment results and any automated scanning results and the applicable generated reports through the Veracode Platform.
- Upon the customer’s request, Veracode will conduct a consultation call to:
- Discuss Assessment findings.
- Discuss tactical and strategic recommendations to address security issues and industry best practices.
- The request for a consultation call must be made in writing prior to the end of the Assessment.
- Veracode will not perform any denial of service testing or attacks during the course of the Assessment.
- Testing and identified vulnerabilities will be limited to the context of the user accounts supplied by Customer in the Veracode logistics documentation at the start of the Assessment.
- Veracode testing is generally conducted between 9:00AM EST and 8:00 PM EST; Veracode may conduct testing outside of this timeframe. Customer may request testing outside of the normal testing window. Any such request must be submitted via email to email@example.com. If such request is approved by Veracode, such off hours testing may be subject to additional fees.
- Customer will provide a minimum of three (3) valid user accounts with varying configured access based on user role, with one account being an administrator account capable of updating other accounts’ access.
- Customer is responsible for ensuring the instance/environment of Applications are available and functional for the entire duration of the project.
- If requested, Customer will provide a high-level architecture diagram of Applications and supporting infrastructure as well as any associated user documentation such as API references.
- Customer will provide a point of contact with availability during agreed upon testing windows for help troubleshooting issues impacting testing.
- All Assessment work is conducted remotely via an Internet accessible system or application environment. If an Internet facing environment is unavailable, Customer shall make available VPN or other intranet/remote system access.
- Customer is responsible for disabling Veracode’s access to all Customer environments after Assessment results are available on the Veracode platform.
- Customer is responsible for all expenses and liabilities related shipping of any device(s) required to support requested Assessment.
- For Customer’s who have purchased a set number of Assessment days for multiple Assessments, Veracode shall perform up to 3 Assessments per month. Any Assessments in excess of 3 during a month will be scheduled on a best efforts basis and may require up to 4-week lead-time.
- Any cancellation or rescheduling of Veracode resources by Customer within 10 days prior to the agreed upon scheduled start date will result in 50% of the services hours associated with such scheduled Assessment to be deemed to be used by Customer. Any such cancelled assessment(s) will be rescheduled using best effort scheduling.
Pre-Assessment Logistics Verification Procedures
Customer will be required to complete a logistics worksheet and provide Veracode with any equipment that will be required for the Assessment at least 5 days prior to the scheduled start date of the Assessment. Following receipt of the worksheet (and equipment, if applicable), within 5 business days before the scheduled start date for the Assessment, Veracode will attempt to validate the availability and connectivity of the Application or other access so that Veracode can begin the Assessment as scheduled. This verification includes, but is not limited to ensuring all of the following requirements have been met:
- White-listing of Veracode's source IP address(es)
- Test accounts for the Application(s) (usernames/passwords) are valid and working
- URL(s) for Application(s) is/are accessible
- VPN access (if applicable and required for Assessment)
- Physical devices, laptop, virtual machines or other equipment is working and delivered to the Veracode personnel performing the Assessment (if applicable and required for Assessment)
If Veracode is unable to verify the above logistics at least 5 business days before the scheduled start date, the Assessment may be rescheduled to the next available test window. In addition, once an Assessment has been started, if Veracode resources are idle due to matters within the Customer’s control and not due to any action or omission of Veracode and such matters cause a delay in completion of the Assessment, Customer agrees that it will be responsible for payment equal to the number of additional days actually required to complete the Assessment. For Customers who have purchased a set number of Assessment days for multiple Assessments, the number of hours associated with such delayed Assessment shall be deemed to include both the actual number of days required to complete the Assessment as well as the number of days that Veracode resources were idle, which may include additional days pulled forward from the subsequent month/period of the subscription term.