Solved

Is it needed userid and password for testing vulnerabilities in a website?

Posted on 2014-01-23
3
332 Views
Last Modified: 2014-01-29
We are a company that has many web application developed in ASP.NET. Our Internet Service Provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them userid and password (read-only access) for each web site.

It's the first time that I heard that for testing vulnerabilities in websites you need to inform userid and password to an IPS. Is it not supposed that for testing vulnerabilities you should try to break or hack websites without knowing that precious info?

Or maybe that is difference between Vulnerability Testing and Penetration Testing?
0
Comment
Question by:miyahira
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
jmcmunn earned 500 total points
ID: 39804360
I don't know what kind of contracts you have signed with them, but I would be very hesitant to hand over any user name and passwords to any organization.  If they want to scan their own servers and sites hosted on their servers for vulnerabilities without getting access from your database, I suppose that probably comes with their ownership of the servers.  But to give them an account in your database seems sketchy.

Also, the best thing they can do to prevent vulnerabilities is to keep IIS/ASP.net/Windows and all of the other SERVER software up to date, in my opinion.  There will not likely EVER be an attack on SomeMomAndPopStore.com, but there are hundreds of attacks meant for IIS or Windows or whatever flavor of web server they happen to use.
0
 
LVL 1

Author Comment

by:miyahira
ID: 39807825
Finally, I know what kind of vulnerabilities testing are they going to perform. They are going to use Qualys Guard Scan and perform "authenticated scans". First time I've heard about that. According to Qualys company, they are very helpful to find security vulnerabilities:

https://community.qualys.com/thread/11562

Any experience with that kind of scans?
0
 
LVL 12

Assisted Solution

by:jmcmunn
jmcmunn earned 500 total points
ID: 39808091
I've definitely heard of this type of security testing before, although not referred to exactly this way.  Still the bottom line is I would not give them anything more than they can get as a "public" user or else let them try to hack their way into the system and get their own user name.

Ultimately, a lot of these types of vulnerabilities have nothing to do with the site(s) and more to do with the server back end and the software running the site.  They can test those without accessing your site.  But hey, they are the system admins, so if they insist I guess you don;t have much choice.  I'm hesitant to give out anything more than what I have to, even to people I trust implicitly.  Their user is just one more user that might get exploited.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question