Security Center
Penetration tests
You can perform penetrations tests under prior consultations in order to inspect and take measures for security vulnerabilities in the cloud environment as well as comply with regulations.
Penetration test guide
NAVER Cloud Platform supports penetration tests for customers. This enables more convenient execution of security activities for customers that need to perform penetration tests for various regulatory compliance purposes such as "vulnerability inspection and measures" of the ISMS/ISMS-P (personal information and information security management system certification) certification standards, and "infringement response training and inspection" of the CSAP (public cloud security certification) certification standards.
Customers cannot conduct penetration tests on NAVER Cloud Platform infrastructure and services or other customer services without prior consultation.
If you wish to conduct a penetration test for your service, refer to the following penetration test policy and request it. NAVER Cloud Platform provides support by providing a temporary exception for the customer IP block to facilitate the penetration test.
If you wish to conduct a penetration test for your service, refer to the following penetration test policy and request it. NAVER Cloud Platform provides support by providing a temporary exception for the customer IP block to facilitate the penetration test.
Usage guide
Terms of Service
Naver Cloud Platform
Penetration Test Support Policy (Terms)
◼︎ Article 1 (Overview and Purpose)
The purpose of the Policy herein is to set forth the rights and obligations and other necessary matters regarding the NAVER Cloud Corporation(hereinafter referred to as “company”) and a customer (hereinafter referred to as “customer”) in regard to the use of the Naver Cloud Platform services provided by the company. All penetration tests must follow the Naver Cloud Platform Penetration Test Support Policy described below.
◼︎ Article 2 (Basic Conditions)
①
The penetration test for the Naver Cloud Platform components requires consultation in advance with the company. Mock penetration testing that had not been discussed in advance may result in blocked or suspended customer accounts without notice.
②
All simulated penetration tests are limited to the customer's resources (assets). Care must be taken to avoid unintended consequences for other customers.
③
The customer must proactively verify and demonstrate that the tools and services used to conduct the penetration test are properly configured and function as intended within the scope of this policy.
④
If any potential security issues (vulnerabilities) related to Naver Cloud Platform services are discovered during the penetration test process, then the security team (dl_ncp_ms@navercorp.com) must be immediately contacted. Moreover, the security issues (vulnerabilities) shall not be disclosed to a third party or the general public until an official reply is received from the company regarding the content of the inquiry.
⑤
Violations of this policy may result in suspension or termination of all customer accounts and subject to legal action.
⑥
The customer shall be responsible if the customer violates this policy and causes damage or loss to the company and other customers' data.
⑦
The company shall protect customers and their resources (assets) and guarantee the quality of service.
◼︎ Article 3 (Limitations)
①
Inspecting or testing the resources belonging to other customers
②
Accessing other customers' data
③
Performing the automated service tests that generate large amounts of traffic
④
Using the service in a way that violates the Naver Cloud Platform Terms of Use
⑤
Attempting phishing or other social engineering attacks against the company and its employees
⑥
Performing all types of denial of service (DoS) tests
1.
Exception: For customers who use the Security Monitoring Managed service, the simulation training through state-designated infringement response agencies, such as the Korea Internet & Security Agency (KISA) and the Financial Security Institute (FSI), is possible under agreement.
2.
The Denial of Service (DoS) test is limited to the following scope.
- Bandwidth: Within the pre-contracted capacity range
- Frequency: Up to twice a year
◼︎ Article 4 (Scope of Support by the Company)
①
Application of exception handling for the IPs used in penetration tests
②
Provides detection reports within the scope of the contract upon request only to customers who use the Security Monitoring service
- However, if the IPS/WAF service is operated in blocking mode, detection and blocking logs for IPs processed as exceptions are not logged. Therefore, detection reports are not available for the IPs that are processed as exceptions if categorized as any of the cases below.
1. If operating IPS (Intrusion Prevention System) service in blocking mode
2. If operating WAF (Web Application Firewall) service in blocking mode
3. If using the Basic Security service only
1. If operating IPS (Intrusion Prevention System) service in blocking mode
2. If operating WAF (Web Application Firewall) service in blocking mode
3. If using the Basic Security service only
◼︎ Article 5 (How to Request Prior Consultation)
①
Apply for prior consultation by completing the “Penetration Test Application,” including the schedule information, account, assets and contact details regarding the penetration test, and the details of the planned event (source IP, etc.).
②
The company may request additional information from customers for adequacy evaluation.
③
The company shall reply the approval result within 5 business days after reviewing the adequacy of the test based on the customer's request. However, the company can extend the reply deadline by 7 days if necessary for additional information requests, confirmation of requests, etc., and notifications about such extensions will be sent by email.