Security Center
Penetration tests
You can perform penetrations tests under prior consultations in order to inspect and take measures for security vulnerabilities in the cloud environment as well as comply with regulations.
Penetration test guide
NAVER Cloud Platform actively cooperates with penetration tests by customers. This enables more convenient execution of security activities for customers that need to perform penetration tests for various regulatory compliance purposes such as "vulnerability inspection and measures" of the ISMS/ISMS-P (personal information and information security management system certification) certification standards, and "infringement response training and inspection" of the public cloud security certification (CSAP) certification standards.
If you wish to conduct a penetration test for your resources (assets) and services, see the following penetration test policy (terms and conditions) and request an advance consultation. Any penetration test for NAVER Cloud Platform's infrastructure and all components requires a prior agreement with the company. Penetration testing without the agreement may result in blocked or suspended customer accounts without notice. Penetration testing for other customers' resources is not available.
Usage guide
Terms of Service
Naver Cloud Platform
Penetration Testing Policy (Terms and Conditions)
◼︎ Article 1 (Overview and Purpose)
The purpose of the Policy herein is to set forth the rights and obligations and other necessary matters between NAVER Cloud Corporation (hereinafter referred to as “Company”) and its customer (hereinafter referred to as “Customer”) in conducting penetration tests on NAVER Cloud Platform services provided by the Company. All penetration tests must follow the NAVER Cloud Platform Penetration Testing Policy described below.
◼︎ Article 2 (Basic Conditions)
1.
Penetration tests for the NAVER Cloud Platform components require consultation in advance with the Company. For penetration tests that are not negotiated, the Company may block the test without prior notice and may suspend the Customer's account.
2.
The scope of any penetration test is limited to the resources (assets) of that Customer and they must be careful not to cause unintended consequences for other customers.
3.
The Customer must proactively verify and demonstrate that the tools and services used to conduct the penetration test are properly configured and function as intended within the scope of this policy.
4.
If any potential security issues (vulnerabilities) related to NAVER Cloud Platform services are discovered during the penetration test process, then the security team (dl_ncp_ms@navercorp.com) must be immediately contacted. Moreover, the security issues (vulnerabilities) shall not be disclosed to a third party or the general public until an official reply is received from the Company regarding the content of the inquiry.
5.
If the Customer violates this policy, all of the Customer's accounts may be suspended or terminated and the Customer may be subject to legal action.
6.
The Customer shall be responsible if the Customer violates this policy and causes damage or loss to the Company and other customers' data.
7.
The Company shall protect customers and their resources (assets) and guarantee the quality of service.
◼︎ Article 3 (Limitations)
1.
Inspecting or testing resources that belong to other customers
2.
Accessing other customers' data
3.
Testing with automation tools or services that generate large amounts of traffic
4.
Using the service in a way that violates the NAVER Cloud Platform Terms and Conditions
5.
Attempting phishing or other social engineering attacks against the Company and its employees
6.
Performing all types of denial of service (DoS) tests
①
Exceptions
(a)
For customers using the Security Monitoring product, simulation trainings with nationally designated infringement response agencies, such as the Korea Internet and Security Agency (KISA) and the Financial Security Institute (FSI), are available upon prior consultation with the Company.
②
The denial of service (DoS) tests are limited to the following scope.
(a)
Bandwidth: within the pre-contracted capacity range
(b)
Frequency: up to twice a year
(c)
Only DoS testing of the L4 layer is supported.
-
However, for WAF service customers only, HTTP GET Flooding test of L7 layer is supported upon prior request.
◼︎ Article 4 (Scope of the Service)
1.
Upon Customer request, the Company may apply exception handling to Customer's source IPs used in penetration tests.
(a)
However, when handling IP exceptions, detection and blocking logs for those IPs are not available for customer confirmation.
(b)
Customers who need to check the detection and blocking logs of the security services they're using within the Security Monitoring product should refrain from requesting IP exception handling.
2.
The Company does not provide security logs related to penetration tests. Customers who need security logs should check them directly through the Security Monitoring or Cloud Log Analytics product in the NAVER Cloud Platform console.
(a)
However, if the Customer is using the Security Monitoring product in the Classic platform environment, the Company shall provide them with detection and blocking logs for the security services they're using upon their request.
(b)
Customers who wish to check security logs through the Cloud Log Analytics product must subscribe to the Cloud Log Analytics product and activate the Security Monitoring security log storage (integration) feature in advance.
3.
The Company does not assign a dedicated security professional to work with the Customer during the penetration test.
◼︎ Article 5 (How to Request Prior Consultation)
1.
Request prior consultation by completing the “Penetration test request form” including the (main) account involved in the penetration test, schedule, test type, contact information, and the details of the planned event (target assets, IPs, etc.).
2.
The Company may request additional information from the Customer for adequacy evaluation.
3.
The Company will review the appropriateness of the test based on the Customer's request and return the results within 5 business days. However, the Company may extend the response deadline for a period of no more than 7 days if necessary to request additional information or confirmation of the request, and will notify the Customer of such extension by email.