Solved

Is it needed userid and password for testing vulnerabilities in a website?

Posted on 2014-01-23
3
325 Views
Last Modified: 2014-01-29
We are a company that has many web application developed in ASP.NET. Our Internet Service Provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them userid and password (read-only access) for each web site.

It's the first time that I heard that for testing vulnerabilities in websites you need to inform userid and password to an IPS. Is it not supposed that for testing vulnerabilities you should try to break or hack websites without knowing that precious info?

Or maybe that is difference between Vulnerability Testing and Penetration Testing?
0
Comment
Question by:miyahira
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
jmcmunn earned 500 total points
ID: 39804360
I don't know what kind of contracts you have signed with them, but I would be very hesitant to hand over any user name and passwords to any organization.  If they want to scan their own servers and sites hosted on their servers for vulnerabilities without getting access from your database, I suppose that probably comes with their ownership of the servers.  But to give them an account in your database seems sketchy.

Also, the best thing they can do to prevent vulnerabilities is to keep IIS/ASP.net/Windows and all of the other SERVER software up to date, in my opinion.  There will not likely EVER be an attack on SomeMomAndPopStore.com, but there are hundreds of attacks meant for IIS or Windows or whatever flavor of web server they happen to use.
0
 
LVL 1

Author Comment

by:miyahira
ID: 39807825
Finally, I know what kind of vulnerabilities testing are they going to perform. They are going to use Qualys Guard Scan and perform "authenticated scans". First time I've heard about that. According to Qualys company, they are very helpful to find security vulnerabilities:

https://community.qualys.com/thread/11562

Any experience with that kind of scans?
0
 
LVL 12

Assisted Solution

by:jmcmunn
jmcmunn earned 500 total points
ID: 39808091
I've definitely heard of this type of security testing before, although not referred to exactly this way.  Still the bottom line is I would not give them anything more than they can get as a "public" user or else let them try to hack their way into the system and get their own user name.

Ultimately, a lot of these types of vulnerabilities have nothing to do with the site(s) and more to do with the server back end and the software running the site.  They can test those without accessing your site.  But hey, they are the system admins, so if they insist I guess you don;t have much choice.  I'm hesitant to give out anything more than what I have to, even to people I trust implicitly.  Their user is just one more user that might get exploited.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now