Every change either in code or infrastructure is reviewed to ensure that it poses no change to the overall integrity and security of the Hornbill platform. These changes are tested via automated testing on every commit and build against a suite of tools\tests (over 10,000 individual API tests alone and counting) and any issues addressed before promoting out of the development environments. Hornbill also performs monthly external scans of all end points using industry approved tools to ensure nothing has been missed. We then, on an annual basis, have an external company perform a full penetration test on the entire platform to validate our results. Full penetration reports are available on request.
External Penetration Tests
As per Section 3.4.3 of Contract , Hornbill does not allow external 3rd party penetration tests on our live services. Whilst we are confident that nothing will be found (We already have an external penetration performed annually with all issues addressed - Report available on request) there are several reasons for this. These include, that being a shared service with common front ends, any unexpected or incomplete access will flagged by security measures\threat detection by our front end\services\monitoring automatically which may cause unwanted downtime\blacklisting IPs against the given instance or others, the source IP or range may be shared and in blocking a perceived attacked we could end up blocking valid requests. Penetration tests can also be load heavy due to the automatic tools\scanners used which may impact performance for customers on any shared resources or cause rate limiting. Automatic actions may be outside of Hornbill control (For example in case of testing against logins with an account tied to SAML\Google etc) which may impact delivery of our services. There is also the question of what a non-directed or blanket test would find, given the complexity of the system and front end servers screening requests.
We would therefore strongly recommend that any customer wishing to perform an external penetration test contact firstname.lastname@example.org to obtain a copy of the latest penetration tests (External and Internal) and allow us to discuss your goals with an aim to finding a solution.