Oracle Exam 1Z0-1067 Topic 10 Question 10 Discussion

Penetration and Vulnerability Testing

Oracle regularly performs penetration and vulnerability testing and security assessments against the Oracle cloud infrastructure, platforms, and applications. These tests are intended to validate and improve the overall security of Oracle Cloud Services.

However, Oracle does not assess or test any components (including, non-Oracle applications, non-Oracle databases or other non-Oracle software, code or data, as may be applicable) that you manage through or introduce into -- including introduction through your development in or creation in - the Oracle Cloud Services (the ''Customer Components''). This policy does not address or provide any right to conduct testing of any third party materials included in the Customer Components.

Except as otherwise permitted or restricted in your Oracle Cloud Services agreements, your service administrator who has system level access to your Oracle Cloud Services may run penetration and vulnerability tests for the Customer Components included in certain of your Oracle Cloud Services in accordance with the following rules and restrictions.

Permitted Cloud Penetration and Vulnerability Testing

The following explains where penetration and vulnerability testing of Customer Components is permitted:

IaaS:Using your own monitoring and testing tools, you may conduct penetration and vulnerability tests of your acquired single-tenant Oracle Infrastructure as a Service (IaaS) offerings. You must notify Oracle prior to conducting any such penetration and vulnerability tests in accordance with the process set forth below. Pursuant to such penetration and vulnerability tests, you may assess the security of the Customer Components; however, you may not assess any other aspects or components of these Oracle Cloud Services including the facilities, hardware, software, and networks owned or managed by Oracle or its agents and licensors.

PaaS:Using your own monitoring and testing tools, you may conduct penetration and vulnerability tests of your acquired single-tenant PaaS offerings. You must notify Oracle prior to conducting any such penetration and vulnerability tests in accordance with the process set forth below. Pursuant to such penetration and vulnerability tests, you may assess the security of the Customer Components; however, you may not assess any other aspects or components of these Oracle Cloud Services including the facilities, hardware, networks, applications, and software owned or managed by Oracle or its agents and licensors. To be clear, you may not assess any Oracle applications that are installed on top of the PaaS service.

SaaS:Penetration and vulnerability testing is not permitted for Oracle Software as a Service (SaaS) offerings.

Rules of Engagement

The following rules of engagement apply to cloud penetration and vulnerability testing:

Your testing must not target any other subscription or any other Oracle Cloud customer resources, or any shared infrastructure components.

You must not conduct any tests that will exceed the bandwidth quota or any other subscribed resource for your subscription.

You are strictly prohibited from utilizing any tools or services in a manner that perform Denial-of-Service (DoS) attacks or simulations of such, or any ''load testing'' against any Oracle Cloud asset including yours.

Any port scanning must be performed in a non-aggressive mode.

You are responsible for independently validating that the tools or services employed during penetration and vulnerability testing do not perform DoS attacks, or simulations of such, prior to assessment of your instances. This responsibility includes ensuring any contracted third parties perform assessments in a manner that does not violate this policy.

Social Engineering of Oracle employees and physical penetration and vulnerability testing of Oracle facilities is prohibited.

You must not attempt to access another customer's environment or data, or to break out of any container (for example, virtual machine).

Your testing will continue to be subject to terms and conditions of the agreement(s) under which you purchased Oracle Cloud Services, and nothing in this policy shall be deemed to grant you additional rights or privileges with respect to such Cloud Services.