Optimizely is committed to providing secure products and services. Part of this commitment is performing security assessments, such as vulnerability assessments, risk assessments, and third-party penetration tests, to determine the presence of threats and vulnerabilities within the products and services.
What Optimizely is doing
Optimizely regularly performs security evaluations to uncover potential vulnerabilities and hazards in its products and services. The results of these assessments are then reviewed using Optimizely's vulnerability management procedures. Assessing the actual risk is essential in prioritizing the remediation process for any issues identified. Optimizely keeps the details of its security assessments confidential, opting to refer to audits performed by reputable third parties as evidence that these security checks are being conducted.
Penetration testing
You should only perform security penetration tests against the latest code version.
Microsoft and their Red Team regularly provide a penetration test to the underlying infrastructure of Configured Commerce. The product is also subject to regular penetration tests by customers and partners.
To ensure your solution is thoroughly tested before going live, you can conduct your tests using tools or security services or order this service through Optimizely Expert Services.
If you plan to perform your penetration tests, you must notify Optimizely at least 10 business days before the testing.
To notify Optimizely about your test, submit a ticket to Optimizely with your test plan including:
- Test type and approach.
- Contact information for emergency issues.
- Expected start and end times.
- Listing of IP addresses and DNS names from where the tests originate.
On-premises customers can conduct any security assessment on Optimizely products that are completely hosted within their own managed environment. SDK customers must ensure the scope of the security assessment does not include the SDK portion hosted by Optimizely.
Submission process
If you identify a finding through a security assessment, communicate the finding to Optimizely with the Customer Support portal. Optimizely then evaluates the finding through the vulnerability management processes and determines the next steps. This could include submitting a bug fix or product enhancement request, which Optimizely prioritizes based on the identified risk level.
Considerations
- Optimizely routinely conducts various security assessments and resolves any identified finding per the vulnerability management processes. This should satisfy most requirements that you may have about conducting security assessments on critical products and services.
- A particular finding may not always be directly related to an Optimizely product or service. It may instead be related to the unique configurations or integrations that exist within your environment. If so, Optimizely may provide recommendations, but you must decide how to remediate the finding.
- There are various methods to reduce the risk of a particular finding. This could include introducing security controls that reduce the impact or probability of exploiting a finding. Optimizely evaluates security findings based on real-world risk and recommends remediation strategies designed to reduce the risk and may not necessarily be designed to eliminate the root cause of a finding completely.
Please sign in to leave a comment.