Identity Cloud penetration testing and load testing policy
ForgeRock has a strict policy on the penetration testing and load testing of your Identity Cloud infrastructure and applications. Refer to the Policy rules.
The policy exists for the following reasons:
- Preserves platform stability
-
The policy preserves platform stability for all ForgeRock customers.
Unscheduled testing can cause severe problems, as it can initially be indistinguishable from a real problem or a DoS attack. It can set off alarms, cause service shutdowns, add services to denylists, and prevent the support team from taking remedial actions. It can also disproportionally occupy our support team, delaying our response to other ForgeRock customers with pressing support problems.
- Regulates testing
-
The policy regulates how testing is approached so that it is realistic and manageable.
For example, a load testing plan would not be approved if it created and deleted large numbers of identities and entitlements for each test, as this is a hugely expensive operation, but not a realistic pattern of behavior.
- Avoids unnecessary testing
-
The policy helps you avoid unnecessary testing.
ForgeRock already directly tests Identity Cloud infrastructure and applications on your behalf, using code scans, penetration tests, and automated load tests. This ensures that testing is consistent and that results can be compared over time.
The penetration testing is done by a third party, in line with industry best practice. The results of the penetration testing are shared with you, with the time-consuming analysis and elimination of false positives already done by our engineers.
Policy
Policy rules
-
You are not permitted to directly test Identity Cloud infrastructure and applications. In particular, this applies to DoS or DDoS attacks. ForgeRock already does this on your behalf.
-
You are permitted to indirectly test Identity Cloud infrastructure and applications as part of a wider test of your own infrastructure and applications.
-
You are permitted to perform penetration testing and load testing only against your staging environment.
-
You are permitted to perform load testing only up to the license volume limits listed in the Test plan information section.
-
You are not permitted to use the built-in SMTP server as the email provider. If you have any email-dependent journeys, you must configure your own external SMTP server as the email provider.
-
You are not permitted to perform penetration testing or load testing without ForgeRock’s prior written consent.
-
You are not permitted to authorize a third party to perform penetration testing or load testing without ForgeRock’s prior written consent.
-
To obtain ForgeRock’s prior written consent you must create a test plan and have it reviewed and approved by ForgeRock.
-
You must provide at least two weeks' notice of the test date.
Policy summary
Development environment | Staging environment | Production environment | ||||
---|---|---|---|---|---|---|
|
|
|
Creating a test plan
-
Go to the Backstage website, and click Support.
-
On the ForgeRock Support page, click New Ticket.
-
On the New Ticket page, choose Identity Cloud: Config Request.
-
On the Identity Cloud: Config Request page, provide the following information:
Hostname
Enter the hostname of your staging environment.
What would you like to do?
Choose one of the following:
-
Submit a load testing request
-
Submit a penetration testing request
Describe your test scenario
Enter Test plan information.
What is your testing schedule?
Provide the dates and times that you intend to do the testing.
-
-
Ignore the remaining form fields.
-
Click Submit to create the support ticket.
Test plan information
Information | Description |
---|---|
Testing strategy |
Describe the strategy you intend to follow when testing your own infrastructure and applications.
Your load testing plan should also avoid unrealistic patterns such as the setup and teardown of large numbers of identities for each load test. |
Origin of testing |
Confirm if the testing will originate from an external source over the internet or from an internal source within your Identity Cloud tenant environments. If originating from an external source, you must also supply IP addresses. |
Named contact |
Provide a named point of contact in your testing team in case ForgeRock requires the testing to be stopped due of unforeseen impacts. |
Testing cessation |
Confirm that in the unlikely event that a vulnerability is discovered in Identity Cloud infrastructure or applications:
|