Security testing domains


#1

I have about 30+ clients that use DreamHost for their sites. All of which have to maintain some form of compliance (HIPPA/PCI, etc). As a security tester, our clients’ websites fall into the scope of what must be tested. Who do I contact at Dreamhost to get permission to perform non-destructive security tests for my clients. I am hoping someone from Dreamhost answers this, as my clients that are hosted with you would end up having to move away from your services if you disallow testing. (Clients would fail security tests based on NOT having any testing done, and not disclosing their security posture)


#2

DreamHost is not a HIPAA compliant hosting provider. (Indeed, it’s unclear that it’s even possible for any shared hosting provider to be compliant, let alone to provide hands-on support to customers hosting health data.) As such, it should not be necessary to perform any scans for this purpose.

PCI scans are acceptable. Note that we recommend that customers contact us in advance of any scans being run, as it’s possible that some aggressive scans may trigger automatic IP blocks against the scan provider.


#3

Thank you Andrew, is there a definitive contact address they should use, is there a static person (non robot account) we (my company and your clients) would be able to contact to sort this out so that any addresses could be whitelisted, where we would be able to work with Dreamhost to state: “This is who we are, this is your client, this is what we will be testing, this is when we will be testing it, and where we will be coming from.” ?


#4

Please have your clients contact us directly through the “Contact Support” section of the DreamHost Panel. We can’t generally act on requests from outside emails, particularly where security is involved.