SaaS Product Security Vulnerability Scan Operation Guide and Security Specifications

Security Vulnerability Scan Operation Guide

If your SaaS products involve websites (including frontend and backend portals), ensure that your products do not contain malicious content or high-risk vulnerabilities. Scan your products before releasing them.

Procedure

1. Go to the Seller Console.
2. In the navigation pane, choose Application Tools > Vulnerability Scans.
3. In the Basic Information area, set the name, mobile number, and email address of the contact person and click Save.

   

4. In the Scan Services area, click Create Scan Service.

   

5. Enter basic scan details and click Next.

   

6. Verify the domain name ownership, select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Agreement, and click Verify.

   

7. Enter the website login details, confirm the details, and click Confirm.

   

8. After the scan service is added, click Scan in the Operation column in the row containing the scan service to start it.

   

   

   • Up to five scan services can be created.
   • You cannot scan a domain name using multiple accounts or in Vulnerability Scan Service (VSS) before creating a scan service for the domain name in KooGallery. If you have created a scan task for a domain name using another account or in VSS, delete the scan task before you create a scan service for the domain name in KooGallery.
   • If a product has multiple login addresses, you must create multiple scan services. Only one scan services of the same domain name can be executed at a time.
   • Scan services whose domain names have not been verified cannot be edited. Scan services that are being executed cannot be edited or deleted. For scan services of a verified domain name, the domain name cannot be changed.
   • After the scan is complete, you can view the scan result and report. When releasing the product, associate the scan result with the product and submit them for review.

SaaS Product Release Security Specifications

If your SaaS products involve websites (including frontend and backend portals), ensure that your products do not contain common web vulnerabilities, such as cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), XML external entity (XXE) injection, OS injection, cross-directory access, file upload vulnerabilities, sensitive information leakage, URL redirection leakage, transport layer security (TLS) configuration defects, and web page Trojan horses. If the scan result of a product indicates that the product has a high-risk vulnerability, the product fails the scan. Fix the vulnerability before releasing the product.