Skip to main content

Is there a policy on allowing vulnerability scan of the lucidchart servers? This is required by the UK government as part of their Cyber Essentials flow down. If not who do I need to contact to authorise this testing?

Hi Richard I am going to reach out to you via email regarding this issue :)


Hi Megan


Many thanks for getting back to me. I have reviewed your white paper and the approach sounds sensible. From reading this I understand that your offering is provided through AWS VPC. As part of Cyber Essentials we are required to run a vulnerability scan on the IP address of the entry point to the service although it may be sufficient to just use your website as the external point for testing. Can you please let me know whether even the entry points are managed by AWS VPC? If so then I believe we would need the static IPs that you are using and then would need to gain permission from Amazon (although normally the big companies have standard policies accepting this testing).


In the first stage of the assessment the penetration testers (PT) will probe the infrastructure in scope to identify systems present and to map the layout of the environment. Having identified target hosts PT will perform scans to identify services available on the systems. Where possible PT will identify the versions of applications in use on the target systems and review the patch management. Further to this PT will also perform an unauthenticated vulnerability assessment of any web applications in-scope. The focus of this testing will be on injection style attacks.


These reviews are beneficial both to users and to the companies being tested and the range of tests are standard within the industry.





Reply