Skip to main content
Skip table of contents

Proceeding Penetration Tests

This article provides basic guidance about penetration tests (pentests). Customers are allowed to carry out the pentest and to forward the result to imc (via Project Manager, Account Manager, or imc Service Desk). Usually, a pentest result is a document that contains several findings with category (low, medium, high).

For documentation purposes, imc will create a Service Desk Ticket (Type Support Request) that stays open until all findings are sorted out / solved. Coordination takes place with the imc Security Team.

The support agent who is assigned to the ticket will provide an overview of all reported findings and coordinates the feedback from imc internal departments (mainly Hosting and Product Development).

Typically, there are several feedback options:

  • LMS software needs some code change (software defect)
    ➡️ will be scheduled for one of the next patches via a separate software defect ticket

  • Hosting infrastructure needs some changes (infrastructure changes)
    ➡️ will be scheduled as soon as possible

  • Reported finding is invalid or will not be fixed by imc (invalid / won’t fix)
    ➡️ imc will provide reasonable feedback to customer with an explanation why the finding is invalid or will not be fixed by imc.

  • Reported finding is not related to imc software or services (outside imc)
    ➡️ imc will provide adequate feedback.

Via Service Desk ticket, the support agent might request further input from customer side in case reported findings are not clear. In addition, it is possible to schedule regular or on demand calls for status updates.

The Service Desk ticket is resolved, if imc provided reasonable feedback to all reported findings and all reported fixes are delivered.

Additional information

A Pentest as part of the rollout phase is managed by the project team. In case, fixes need to be delivered after project closure and support handover, the project team will forward the necessary tickets to support team such that tickets visible to customers can be created in imc Service Desk.

If the customer does a pentest during project phase without having this in scope, we cannot avoid impact to project timeline. Example: If a customer does pentest one week before Go-Live, it would be unrealistic to expect that the findings are “fixed” within 2 days.

Known pentests in projects must be scheduled properly. This also means that not all things have to be fixed before Go-Live. Only confirmed (valid) and “critical” findings that need some action on imc side (infrastructure change or software fix) will be addressed.

Frequently Asked Questions

Does imc carry out own pentest and how often?
Yes, imc carries out at least two pentest per year for the current standard release. These pentests are carried out by an external security company. In addition, the imc Security Team does regular internal penetration tests against reference or security testing systems.

Does imc share results of imc own pentest?
Yes, results of pentests (management summary only for security reasons) are shared with customer on request (Service Desk, Account Manager, Project Manager).

Are customers allowed to run pentests for their instance?
Yes, customers can carry out a pentest against their own LMS instance after notification (2 weeks lead time). This is recommended during the project phase, but it is also possible after Go-Live (needs more coordination). Any technical support or coordination support can be requested as additional Consultancy service. This service can also be part of the implementation project. Please note that imc does not offer a full service for such a case and that the responsibility for carrying out the pentest lies with the customer.

How should customers report pentest results to imc?
The pentest report can be submitted to Support as Service Desk ticket (after Go-Live) or to the project manager (before Go-Live / during project phase). In general, imc needs the full pentest report (usually as pdf document) for detailed check of results. The imc Support or project manager forwards the report to imc Security team and provides the feedback and updates accordingly via ticket system.

How are valid findings fixed by imc?
Valid findings (software defects or hosting issues) are fixed based on the priority of the reported findings. If a pentest is carried out during project phase, the project plan needs to consider reasonable time for providing fixes before Go-Live to avoid shifting Go-Live date.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.