Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Is it needed userid and password for testing vulnerabilities in a website?

Posted on 2014-01-23
3
Medium Priority
?
345 Views
Last Modified: 2014-01-29
We are a company that has many web application developed in ASP.NET. Our Internet Service Provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them userid and password (read-only access) for each web site.

It's the first time that I heard that for testing vulnerabilities in websites you need to inform userid and password to an IPS. Is it not supposed that for testing vulnerabilities you should try to break or hack websites without knowing that precious info?

Or maybe that is difference between Vulnerability Testing and Penetration Testing?
0
Comment
Question by:miyahira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
jmcmunn earned 2000 total points
ID: 39804360
I don't know what kind of contracts you have signed with them, but I would be very hesitant to hand over any user name and passwords to any organization.  If they want to scan their own servers and sites hosted on their servers for vulnerabilities without getting access from your database, I suppose that probably comes with their ownership of the servers.  But to give them an account in your database seems sketchy.

Also, the best thing they can do to prevent vulnerabilities is to keep IIS/ASP.net/Windows and all of the other SERVER software up to date, in my opinion.  There will not likely EVER be an attack on SomeMomAndPopStore.com, but there are hundreds of attacks meant for IIS or Windows or whatever flavor of web server they happen to use.
0
 
LVL 1

Author Comment

by:miyahira
ID: 39807825
Finally, I know what kind of vulnerabilities testing are they going to perform. They are going to use Qualys Guard Scan and perform "authenticated scans". First time I've heard about that. According to Qualys company, they are very helpful to find security vulnerabilities:

https://community.qualys.com/thread/11562

Any experience with that kind of scans?
0
 
LVL 12

Assisted Solution

by:jmcmunn
jmcmunn earned 2000 total points
ID: 39808091
I've definitely heard of this type of security testing before, although not referred to exactly this way.  Still the bottom line is I would not give them anything more than they can get as a "public" user or else let them try to hack their way into the system and get their own user name.

Ultimately, a lot of these types of vulnerabilities have nothing to do with the site(s) and more to do with the server back end and the software running the site.  They can test those without accessing your site.  But hey, they are the system admins, so if they insist I guess you don;t have much choice.  I'm hesitant to give out anything more than what I have to, even to people I trust implicitly.  Their user is just one more user that might get exploited.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
What we learned in Webroot's webinar on multi-vector protection.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question