Sophos Web Application Security Assessment – Service Description

This Service Description describes Web Application Security Testing (“Service”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.

This Service Description is part of and incorporated into, as applicable: (i) Customer’s or Managed Service Provider’s (“MSP”) manually or digitally‐signed agreement with Sophos covering the purchase of a Service; (ii) MSP’s manually or digitally-signed agreements with Sophos covering its purchase of  Offerings of which the Service is a part; or (iii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos End User Terms of Use posted at https://www.sophos.com/legal (collectively referred to as the “Agreement”). To the extent there is a conflict between the terms and conditions of the Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.

Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality without notice to Customer/MSP; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.

I. DEFINITIONS

“Asset(s)”is any applications that are the targets or subjects of penetration testing in accordance with this Service Description.

“Remote Testing Appliance” or “RTA” refers to a virtual machine that enables Sophos to establish a secure presence on the Customer’s/MSP’s internal network in support of Testing conducted remotely.

“Security Services Team” means the Sophos team conducting penetration testing and providing remediation recommendations.

“Service Coordinator” means the Sophos personnel responsible for managing the overall Service engagement lifecycle, including stakeholder coordination, action prioritization, cross-functional alignment, communication. The Service Coordinator serves as the primary liaison between the Customer/MSP and Security Services Team to ensure timely, aligned and in-scope Service delivery.

“Test” or “Testing” means penetration testing of applications covered under the Service.

II. DESCRIPTION OF SERVICE

The Service assesses the security posture of an application by identifying and exploiting vulnerabilities, misconfigurations, and weaknesses. The Service is offered in Small, Medium, and Large tiers, based on the size and complexity of application. Sophos will deliver the Service as defined in this Service Description, with the applicable scope determined by the tier purchased and specified in the relevant Schedule.

All Service elements are delivered remotely unless Customer/MSP request onsite engagement in which case Sophos will provide the Service pursuant to Onsite Service Engagement under Section IV below.

1. Service Initiation. Service delivery commences with a series of staging and introductory sessions with Customer/MSP to cover the following:
   • Service objectives and scope, including Assets to be covered by Service
   • Rules of engagement for Service delivery, levels of effort, and risk acceptance
   • Timelines and schedules for Service delivery, including all Customer/MSP prerequisites and technical requirements
   • Reporting requirements, timelines, and escalation paths
   • Key personnel, roles and responsibilities, and emergency planning
   • Sophos source IP address ranges, tools, and techniques to be used for Service delivery

   
   Following these sessions, Sophos will send a confirmation email summarizing agreed parameters for the above listed items. Customer/MSP must provide written confirmation of such parameters as a precondition to Service delivery. Customer/MSP is responsible for completing all required pre-testing tasks (including providing IP addresses for the Assets to be covered by the Service, configuring remote connectivity, and ensuring all applicable prerequisites are met) prior to the start of Service. Security Services Team may provide guidance, but timely completion of these tasks remains the sole responsibility of Customer/MSP.

2. Customer/MSP Testing Readiness Requirements. As a precondition to Service delivery, Customer/MSP must meet the following requirements prior to Testing:

   1. RTA Deployment. For remote Testing, Customer/MSP must download RTA (via a Sophos provided download link) and deploy it to applicable source network(s), complete configuration tasks in accordance with Sophos’s direction, and meet all applicable technical requirements, including but not limited to:

      • Providing (i) a suitable hypervisor that supports OVA, OVF, or VMX virtual machine images, and (ii) a minimum of 2 virtual CPUs, 4GB RAM, and 32GB hard disk space per RTA virtual machine
      • Providing access to Customer/MSP technical personnel for troubleshooting
      • Assisting Sophos with the proper placement of the RTA, and provide the necessary network connectivity to enable service delivery
      • Ensuring outbound internet connectivity to the Sophos testing environment (encrypted SSL VPN over port 443).

      
      Note: At no point can a direct connection be initiated to the RTA from outside Customer/MSP network. All outbound connections are initiated by Customer/MSP, from within the virtual machine, to the Sophos secure testing facilities.

   2. Testing Access Enablement.
      1. Customer/MSP must ensure that all covered applications remain available, stable, and unmodified for the duration of Testing. Any changes made during the Service engagement will be out of scope and may require a separate purchase for re-testing.
      2. Customer/MSP must ensure that Testing of in-scope applications, in their configured state, is permitted under all applicable third-party Terms of Service (e.g., AWS, Azure, or other cloud service providers, including load-balancing services). Failure by Customer/MSP to meet these obligations may delay or limit the Services, and Sophos shall have no responsibility or liability for any resulting impact on Testing or associated deliverables.
      3. Customer/MSP must (i) timely inform its personnel and third parties of Sophos’s Testing activities as needed, to prevent disruption to Sophos business and performance of the Service (e.g., takedown requests, ISP blacklisting); and (ii) whitelist Sophos’s source testing addresses and domains in any active security devices such as Network Access Control (NAC), Intrusion Prevention System (IPS), or a Web Application Firewall (WAF).
   3. Service Completion Timeframe. Customer/MSP acknowledges and accepts that Sophos must complete Service delivery within twelve (12) months of the Service purchase date. As such, Customer/MSP is solely responsible for taking all actions, and meeting all prerequisites, readiness, and enablement requirements necessary to Sophos to complete Service delivery within the twelve (12) months. Any failure by Customer/MSP to do so will result in expiration of the Service without refund, and Sophos will have no further obligation to perform.
3. Service Delivery.
   1. Service Coordinator. Sophos will assign a dedicated Service Coordinator to support Service delivery. Service Coordinator will coordinate with Security Services Team and Customer/MSP to (i) develop delivery timeline; (ii) identify and address issues or concerns that impact Service delivery; (iii) provide periodic updates on progress; and (iv) confirm in-scope Service delivery and Service completion.

   2. Service Scope. The Service is available in the following scopes:
      
      Small – Includes one (1) off-the-shelf web application (e.g., Outlook Web Access, WordPress, Drupal, Joomla); or one (1) simple custom web application with a limited number of inputs and dynamic pages.
      
      Medium –Includes one (1) moderately complex off-the-shelf application (e.g., Sharepoint); or one (1) custom authenticated application with a substantial amount of inputs and dynamic pages, plus one of the following: multi-tenant user management, more than 20 REST API/AJAX methods, extensive customizable reporting, or a complex ecosystem exposed to the end user (multiple database, user-facing cloud storage, etc.).

      Large –Includes one (1) complex off-the-shelf application (e.g., SAP, BI); or one (1) custom authenticated application with a substantial amount of inputs and dynamic pages, including multiple of the following: multi-tenant user management, more than 20 REST API/AJAX methods, extensive customizable reporting, or a complex ecosystem exposed to the end user (multiple database, user-facing cloud storage, etc.).

   3. Testing Methodology. Sophos will apply recognized industry standards, including the Open Web Application Security Project (“OWASP”) Testing Guide, Open-Source Security Testing Methodology Manual (“OSSTMM”),vendor-specific security documents, and the experience and expertise of the Security Services Team to perform the Tests.
      1. User Accounts Testing. The purpose of Testing activities is to validate that each user’s access to the application is restricted to the permissions intended for their role. To support this validation, Customer/MSP must provide multiple test accounts, including at least two distinct authenticated user roles. Testing activities will include:
         • Unauthenticated (anonymous) user
           - Access restricted resources requiring authentication
           - Gain access to authenticated privileges or user account
           - View other user/account data
         • Authorized user
           - Elevate privileges to access internal or sensitive content
           - View other user/account data
           - Add/modify/delete other account data
           - Existing access is appropriate based upon role
      2. Web Application Security Testing. The purpose of Testing activities is to identify and validate vulnerabilities that could allow unauthorized access, privilege escalation, or data compromise within the application. Testing is performed through a combination of automated tools and manual techniques to assess whether only intended and secure behaviors are permitted.
         • Automated Testing. Sophos will use automated scanning tools to perform reconnaissance and application mapping to enumerate and assess the application to identify configuration issues, known vulnerabilities, and general application errors. Following completion of the automated scans, Security Services Team will manually review and validate the results to eliminate false positives and detect notable patterns. As part of this Testing process, Sophos will assess for vulnerabilities such as:
           
           - Known injection flaws
           - Backup files stored on production systems
           - Known platform and codebase vulnerabilities
           - Error handling issues
           - Known configuration issues

         • Manual Testing. Sophos will perform manual testing of the application for additional vulnerability checks, and to perform exploits against the confirmed vulnerabilities. Testing activities include reviewing access controls, manipulating variables (e.g., cookie tampering), testing business logic, and chaining multiple low-severity vulnerabilities together to create high-severity exploits.

           Where requested, Customer/MSP must provide relevant code snippets from the application to enable Sophos to perform white-box validation of potential vulnerabilities. White-box validation allows Sophos to confirm findings more efficiently and reliably than black-box methods. Testing will include checks across the following categories of vulnerabilities:

           OWASP Top 10

           • Injection
           • Broken Authentication
           • Sensitive Data Exposure
           • Extensible Markup Language (“XML”) External Entities (“XXE”)
           • Broken Access Control
           • Security Misconfiguration
           • Cross-Site Scripting (“XSS”)
           • Insecure Deserialization
           • Using Components with Known Vulnerabilities
           • Insufficient Logging & Monitoring
           
           

           Previous OWASP Vulnerabilities

           • Malicious File Execution
           • Information Leakage and Improper Error Handling
           • Unvalidated Input
           • Buffer Overflow
           • Failure to Restrict URL Access
           • Insecure Cryptographic Storage
           • Insufficient Transport Layer Protection
           • Session Management
           • Insecure Direct Object References
           • Sensitive Data Exposure
           • Missing Function Level Access Control
           • Cross-Site Request Forgery (CSFR)
           • Unvalidated Redirects and Forwards

Quality Assurance: Upon completion of Testing, Sophos may conduct a limited follow-up testing to validate findings or investigate issues identified during Testing for an additional three-week period (“Validation Period”). Customer/MSP must continue to meet all requirements and obligations during this period.

Service Completion and Final Report: After the conclusion of the Validation Period, Sophos will deliver a the formal final report detailing methodologies used to conduct the Testing, key findings related to security posture, prioritization of vulnerabilities based on impact to the Customer/MSP and remediation recommendations (“Final Report”) to the Customer/MSP-designated point of contact via encrypted email or other secure means. Customer/MSP must review the Final Report and provide any comments to Sophos within one (1) week of delivery. If the Customer/MSP does not respond within this period, the Final Report will be deemed accepted, and the Service will be deemed complete. Customer/MSP must securely remove any RTA virtual hosts upon completion of the Services.

. Remediation Validation: Upon written request, Sophos will conduct one (1) remediation validation (“RV”) limited to high- and critical-severity vulnerabilities identified in the Final Report. Customer/MSP is responsible for remediating such vulnerabilities and must (i) submit the RV request in writing to the designated Sophos contact within thirty (30) days of Final Report delivery, and (ii) ensure the RV is completed within ninety (90) days of Test completion. All RVs are conducted remotely, regardless of whether the Testing was conducted onsite.

After performing the RV, Sophos will provide a written summary confirming whether the Customer/MSP successfully remediated the identified issues.

III. SERVICE DELIVERY HOURS

Testing is conducted remotely Monday through Friday, 8:00 a.m. to 6:00 p.m. (U.S. Eastern Time). Any on-site work is conducted Monday through Friday, 8:00 a.m. to 6:00 p.m. (Customer’s/MSP’s local time) or during comparable daytime hours. If Customer/MSP requests work outside of these standard hours, Customer/MSP is responsible for all associated additional service charges.

Notwithstanding the above, to simulate real-world threat actors, Testing may occur at any time during the Service delivery period at Sophos’ discretion.

IV. ONSITE SERVICE ENGAGEMENT

If Customer/MSP requests onsite Service delivery and Sophos accepts, Sophos will provide a written estimate of anticipated costs and travel time for Customer/MSP to review and to approve. Unless Customer/MSP requests actual billing of travel costs, Sophos will invoice in advance based on the approved estimate.

If actual billing is requested, Sophos will invoice following Service completion in accordance with the categories below: The Customer/MSP shall be responsible for the following three categories of costs for actual billings:

1. Actual Expenses: These include all reasonable and necessary out-of-pocket costs incurred in connection with the onsite engagement, such as round-trip airfare (economy for flights under 4 hours, economy plus for 4 to 8 hours, and business class for over 8 hours); round-trip train travel (economy class for trips under 6 hours and business class for over 6 hours); fuel costs (if driving), hotel accommodations; meals and incidental expenses; ground transportation (e.g., taxi, ride-share, or rental car), visa or entry documentation; and any applicable taxes or fees.
2. Standby Time: Any time spent by Sophos personnel onsite or on standby due to Customer/MSP’s failure to provide timely access, information, or readiness to begin the engagement will be billable at the standard hourly rate applicable to the Service, up to eight (8) hours per day per person assigned to onsite Service engagement.

No travel will commence, and no travel-related costs shall be incurred, unless and until the Customer/MSP has approved the estimate in writing.

Customer/MSP Obligations for Onsite Engagement: Customer/MSP must take the following actions to facilitate and enable delivery of the Service onsite:

• Arrange all required site access, entry authorizations, and security clearances in advance of the engagement, including after-hours access if necessary.
• Provide timely access to all systems, environments, infrastructure, and personnel identified in the agreed scope.
• Respond promptly to Sophos requests for information, documentation, and decisions necessary to support the engagement.
• Obtain all approvals and permissions for tools, software, or access mechanisms used by Sophos during the engagement.
• Provide suitable workspace, including power, network connectivity, and required physical or virtual system access.
• Ensure attendance of designated stakeholders at all scheduled updates, technical briefings, and post-engagement reviews.
• Comply with all applicable health, safety, and security protocols to ensure a safe working environment

V. CUSTOMER/MSP RESPONSIBILITIES

Customer/MSP acknowledges and agrees that, in addition to the actions identified in Section II above, Customer/MSP must promptly take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to do so. Sophos reserves the right to suspend Service delivery until such time as Customer/MSP performs the required actions. Failure to complete the required actions after written notice from Sophos (including email notice from the Security Services Team to the Customer/MSP designated contacts) shall constitute a material breach by Customer/MSP of the Agreement.

1. Customer/MSP Personnel. Customer/MSP must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provisioning of the Service. Customer/MSP’s identified personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.
2. System Access. Customer/MSP will timely provide to Sophos all required access to Assets and necessary administrative credentials/privileges to enable Sophos to perform the Service. Additionally, Customer’s/MSP’s scheduled interruptions and maintenance windows must provide sufficient time for Sophos to perform the Service.
3. Timely Response. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing (via email or other agreed method) and must timely respond to Sophos’s requests and timely perform required tasks.
4. Authority and Indemnification. Customer/MSP is responsible for obtaining all necessary permissions and consents to enable the Security Services Team to access all relevant Assets or systems, including third-party permissions as required. Customer/MSP represents and warrants that it has the necessary right, title, license, and authority for Customer/MSP to provide and/or facilitate Sophos’s access to Asset(s), including any information, data, networks, and systems, in connection with the Service delivery. Customer/MSP agrees to indemnify, defend, and hold Sophos harmless from and against any and all claims, losses, liabilities and damages, including reasonable attorney’s fees, arising from (i) any and all third party claims brought against Sophos that arise out of the scanning, testing and/or evaluation of incorrect or unauthorized Asset that are provided by Customer/MSP, or (ii) any breach of a Customer/MSP representation or warranty.
5. Actions Outside the Scope of Service. All activities that are not expressly provided in this Service Description are outside the scope of the Service. Customer/MSP is solely responsible and liable for (i) taking any actions that are outside of the scope of the Service (e.g., Sophos's suggestions regarding patching and vulnerability remediation; all litigation and e-Discovery support, including responding to discovery requests or subpoenas; collaboration with law enforcement, etc.); and (ii) any actions that Sophos performs under Customer’s/MSP’s specific direction that are not otherwise provided in this Service Description.
6. Actions Taken by Partners. Customer may allow Partners to take certain actions within the scope of the Service on Customer's behalf, in which case Customer is responsible for all actions or omissions of such Partner. Sophos will not be liable for Partners' actions or omissions
7. MSP Additional Responsibilities. MSP is solely responsible for: (i) obtaining any consents or information required from its Beneficiaries in order for Sophos to perform the Service, (ii) ensuring that Beneficiaries take all actions required of Customers in this Service Description; (iii) ensuring that its Beneficiaries understand the risks associated with performance of this Service, and (iv) that any Beneficiary for which MSP performs this Service has agreed to accept all such risks. MSP will indemnify and hold Sophos harmless for any claim brought against Sophos by a Beneficiary if such claim results, in whole or in part, from MSP’s failure to fully perform its obligations under this Service Description or the Agreement with respect to the Service.

VI. ADDITIONAL TERMS

1. Service Exclusion. Customer/MSP agrees and acknowledges that Sophos will not be liable or be considered in breach of this Service Description or the Agreement (including any applicable SLA): (i) due to any delay or failure to perform its obligations hereunder as a result of industry or infrastructure wide ransomware, cyberwarfare or other cyberattacks that causes Security Services Team to be unable to provide resources to address any aspect of a Service in a timely manner; (ii) due to unforeseen circumstances or to causes beyond Sophos reasonable control including but not limited war, strike, riot, crime, acts of God, or shortage of resources; (iii) due to legal prohibition, including but not limited to, passing of a statute, decree, regulation, or order; (iv) during any period of Service suspension by Sophos in accordance with the terms of the Agreement; (v) if Customer/MSP is in breach of the Agreement (including without limitation if Customer/MSP has any overdue invoices); or (vi) during any scheduled or emergency maintenance windows.
2. Service Capabilities. Customer/MSP agrees and acknowledges while Sophos has implemented commercially reasonable technologies and process as part of the Service, Sophos makes no guarantee that the Service, or Sophos’s recommendations and plans made by Sophos as a result of that Service, will result in the identification, detection, containment, eradication of, or recovery from all of threats, vulnerabilities, malware, or other malicious threats. Customer/MSP shall not represent to anyone that Sophos has provided such a guarantee or warranty.
3. Service Impact. Customer/MSP acknowledges that Service provision may result in service interruptions or degradation of Customer/MSP systems and accepts those risks and consequences. Customer/MSP further acknowledges that it is solely responsible for restoring its network and computer systems to a secure configuration after Sophos completes testing.
4. Record Retention. Sophos will retain a copy of the Final Report in accordance with its record retention policy. If Customer/MSP requires retention beyond this period, Customer/MSP must provide an advanced request in writing specifying the period and will bear all costs for additional storage.
5. Legal Proceedings. If Customer/MSP knows or reasonably believes that Sophos or its personnel performing the Services may be subject to any court order, administrative process, or governmental proceeding (e.g., subpoena, search warrant, discovery request) requiring a response or testimony, Customer/MSP shall (i) promptly notify Sophos unless legally prohibited, (ii) use commercially reasonable efforts to minimize the associated burden, and (iii) reimburse Sophos for all reasonable costs and expenses incurred, including employee time, attorneys’ fees, and travel. This obligation shall not apply to legal actions between Customer/MSP and Sophos relating to the Service.

Revision Date: 1 October 2025