Alida Pentest Process and FAQs

This article is primarily for Alida customers (existing or prospective) who want to conduct various types of security testing on Alida’s SaaS-based platform.

What is security testing?

A security test is a type of testing that is aimed at exposing known security vulnerabilities and reporting potential exposures.

There are three types of security testing as described below:

• Penetration testing is designed to exploit weaknesses in the architecture of the application and underlying infrastructure and by its nature can be extremely intrusive.
• A credentialed scan is more invasive than a vulnerability assessment and requires that the tester has an account or access to the application being tested.
• Vulnerability scan/assessment seeks out known vulnerabilities and reports potential exposures.

Note: Depending on customer requirement, both vulnerability scans and credentialed scans can be facilitated. Vulnerability assessments can be conducted against your production instance. Please make sure to schedule these in advance. However, please be aware that we don’t allow credential scanning and penetration testing on our production instances.

Security testing process

Customers who want to initiate security testing should first review Alida’s SOC2 report and third-party security testing report and see if these reports satisfy their inquiries. They can obtain copies of either report by contacting Tech Support. If they still want to conduct security testing, the process is as follows:

1. The customer goes to https://www.alida.com/pen-test.
2. The customer completes all the details and submits the form.
3. Alida receives and reviews the details (typically 3-5 business days), and follows up with additional questions if needed. Alida then creates the sandbox instance for testing.

   Note: The sandbox instance Alida creates for testing purposes does not contain any data. It resembles the production instance as closely as possible, but contains only Alida’s proprietary applications, and does not have any third-party software integrations, services or applications installed. Any testing that requires third-party applications, integrations, or services must have those integrations installed and enabled by the customer team prior to testing.

4. When the sandbox instance is ready, Alida emails the primary customer contact. The instance is available for testing on the dates specified in the request. If you require additional time, let us know in advance.
5. Testers are granted access to the sandbox instance before the testing start date.
6. After the testing period, all access to the sandbox instance is revoked and the instance is deleted completely.

Security testing FAQs

1. Is there an alternative to conducting the security testing?

   Alida's most recent SOC2 report and third-party security testing report are available upon request. Please reach out to Tech Support.

2. Can I conduct testing on a production instance?

   Alida does not allow conducting security testing on production instances because of risks such as:

   • Data Corruption – Security testing involves injecting many types of payloads into different fields in the application. This may corrupt data or break certain components. Moreover, it is very difficult to return the instance to pre-test status
   • Degraded Performance – Security testing involves the use of scanning tools that send thousands of requests to the server, which can degrade the performance of the server.
   • Impact to End User – If the production system is live and end users are using it during security testing, the end user experience may be impacted negatively.
3. Are there any tests which should not be performed?

   Alida does not recommend tests like AppDoS, DDoS, or brute force attacks which are resource intensive. Alida also does not recommend exploiting vulnerabilities or testing the underlying infrastructure for issues. Please refer to the "What is security testing?" section above for allowed security testing methodologies.

4. How do I report issues and vulnerabilities from the testing?

   Once you have completed the security testing, submit your results as a case to Tech Support. Tech Support will ensure the issues are escalated through the correct channels and close the loop with the customer.

5. What are the timelines for fixing the issues reported during the testing?

   Please refer to Section 23 of our Data Protection Schedule Section 23 for Security Defect Remediation timeframes.

6. Who will be our point of contact in case we have any additional questions?

   If the question is about the process or if you are looking for an update on the results and how they are being actioned by Alida, please contact Tech Support.