Customer Security Testing Guidelines

This document outlines guidance and resources that customers can use to plan a successful Security Assessment of their implementation on Guidewire Cloud.

Fig: Customer Security Testing Lifecycle

Plan

• Prepare a detailed test plan that addresses the following:
  • In-scope target environment and applications to be tested: Guidewire recommends selecting any User Acceptance Testing (UAT), Performance Acceptance Testing (PAT), or similar environment that resembles the production environment and all integrations.
  • Testing type: We recommend an application penetration (pen) test that uses the Grey-box methodology. This type of test provides the testers with the necessary information and user access to ensure broad and in-depth coverage.
  • Testing schedule: This should include but not be limited to establishing a start date, end date, and time window.
  • The business purpose for the test: This is done to ensure your test plan meets all business, compliance, and regulatory requirements.

Prepare

• Once the test plan is completed, request authorization from Guidewire to perform the documented security assessment by following the process documented here.
• Ensure a proper backup of the target environment is created before testing.
• Validate the testers’ access to the target environment. If allow-listing is required, please use the process documented here.

Assess

• Ensure any security testing executed on Guidewire Cloud adheres to the published Rules of Engagement document here.
• Testing must be performed by qualified internal testers or independent third-party security testing experts as required by business or compliance needs.
• Use an effective test methodology that utilizes manual and automated testing and leverages industry best practices or guidelines such as OWASP, NIST, SANS, etc.

Report

• Triage and report identified vulnerabilities to eliminate any false positives.
• Should you identify any vulnerabilities in the Guidewire OOTB code, please follow the instructions and submit the vulnerability to Guidewire here.
• Customer-layer vulnerabilities should be tracked and remediated in a timely manner by the Customer.

Remediate

• Remediate and perform a retest to validate any remediated vulnerabilities for successful validation and closure.

Additional Resources

• Penetration Testing Guide
• OWASP - Penetration Testing Methodologies
• OWASP - Web Application Security Testing Checklist
• PCI - Penetration Testing Guidance
• Guidewire - How to Request a Security Test on Guidewire Cloud
• Guidewire - Rules of Engagement
• Guidewire - Submitting an Identified Vulnerability
• Guidewire - IP Allow Listing