Penetration Testing & Vulnerability Scanning

Files.com undergoes third-party penetration testing on at least an annual basis. The scope of penetration testing includes the Files.com web application, APIs and SDKs. By policy, Files.com may not use the same penetration testing vendor in two consecutive annual penetration testing events.

In addition to other standards, we specifically require our testers to include testing related to the OWASP Top 10External LinkThis link leads to an external website and will open in a new tab vulnerabilities when conducting testing. The OWASP Top 10External LinkThis link leads to an external website and will open in a new tab includes testing for a multitude of risks, including injections, cache controls, hijacking, browser weaknesses, etc.

Download all of the Files.com PenTest Completion Letters.External LinkThis link leads to an external website and will open in a new tab

Files.com also offers the security research community a Security Bug Bounty to help identify weaknesses to be addressed. Customers are welcome to participate in the Bug Bounty Program.

Penetration Testing and Vulnerability Management are reviewed as part of the SOC 2 Audit process. Files.com's InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Customer-Performed Penetration Testing

We applaud our customers for wanting to perform additional testing against Files.com. With that said, the topic of customer-performed penetration testing is a complicated one. Ultimately, we want to make a distinction between high quality penetration testing such as the testing conducted by high end Enterprise customers and low quality testing from cheap scanning vendors.

We are happy to support the former, and we want to discourage the latter, and therefore we limit customer-performed penetration testing.

Please coordinate with us before performing any testing. We would like to evaluate your choice of vendor prior to beginning any testing. Bad vendors tend to produce volumes of false positive alerts (such as discovering the presence of an FTP service, the use of passive FTP ports, etc.) and no actionable findings. Additionally, many of these vendors use automated scanners that can place high loads on our systems.

In order to conduct a test, you must sign a separate penetration testing agreement. You must also be a Premier or Enterprise customer and must also agree to share with us the results of your testing.

In most cases, we will quickly detect and ban your IP addresses if you attempt a penetration test against us without coordinating with us in advance. If you execute a testing agreement, we will offer to whitelist certain IP addresses for certain amounts of time.

We hope you can appreciate our desire to provide access to customer-performed penetration testing in a safe and efficient manner while protecting the Files.com service as much as possible.

Common Penetration Testing Findings

The Files.com platform offers customers file transfer options, including legacy FTP and SFTP. We also support the use of insecure ciphers for our customers legacy systems needs.

Some common findings during penetration testing are insecure FTP, 'remote servers found' - port 22 open for SFTP transfers, and insecure ciphers if that option has been enabled on the site tested. These services do not in any way access our internal environment. These are features of the platform designed to support our customers needs.

Automated Vulnerability Scan Testing

Files.com undergoes automated vulnerability scans at least monthly. These scans include our external public facing systems and the entire internal network. The tools used for scanning utilize the Common Vulnerability Scoring System (CVSS). Files.com leverages the AWS SecurityHub tool to perform daily security reviews of the AWS configuration. Any identified vulnerabilities are closed as soon as possible after detection utilizing the existing Patch Management and Change Management processes.

Files.com undergoes automated web application scanning, including for OWASP Top 10External LinkThis link leads to an external website and will open in a new tab vulnerabilities. The OWASP Top 10External LinkThis link leads to an external website and will open in a new tab includes testing for a multitude of risks, including injections, cache controls, hijacking, browser weaknesses, etc. Any identified vulnerabilities are closed as soon as possible after detection utilizing the existing development lifecycle processes.

Vulnerability Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.