Pentest documentation for Product Layer7 API Gateway
Article ID: 407103
Updated On:
Products
Issue/Introduction
With DORA (Digital Resilience Act Guide) and the whole changes with it, our company has infrastructure applications that have to pass regular penetration tests.
To fulfill this requirement, is it possible to get a Management Summary for a Penetration Test of the software product itself?
Does Broadcom practice regular pen tests for the Broadcom Layer7 API Gateway product (virtual appliance)? And if yes, can Broadcom provide a management summary of these tests for customer documentation?
Environment
API Gateway 11.X
Resolution
We provided "an appropriate document" for the vulnerabilities that include a CVSS (Common Vulnerabilities Scoring System), which results from scanning the Layer7 solution using a variety of different tools. This is a static analysis of the solution. We cannot provide more details than the scoring system, as there is some non-public information.
A penetration test is very different. We provide the solution to customers and they (or their partners) deploy it in their DC in their own way. That deployment may leave some security holes, such as non-protected APIs (not OAuth/JWT/SAML token for example), ports that are left open but unused, etc. As a result, such tests can only be conducted in your production environment, usually by 3rd parties. They are very different from a vulnerability assessment
Feedback
