Solved

Is it needed userid and password for testing vulnerabilities in a website?

Posted on 2014-01-23
3
337 Views
Last Modified: 2014-01-29
We are a company that has many web application developed in ASP.NET. Our Internet Service Provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them userid and password (read-only access) for each web site.

It's the first time that I heard that for testing vulnerabilities in websites you need to inform userid and password to an IPS. Is it not supposed that for testing vulnerabilities you should try to break or hack websites without knowing that precious info?

Or maybe that is difference between Vulnerability Testing and Penetration Testing?
0
Comment
Question by:miyahira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
jmcmunn earned 500 total points
ID: 39804360
I don't know what kind of contracts you have signed with them, but I would be very hesitant to hand over any user name and passwords to any organization.  If they want to scan their own servers and sites hosted on their servers for vulnerabilities without getting access from your database, I suppose that probably comes with their ownership of the servers.  But to give them an account in your database seems sketchy.

Also, the best thing they can do to prevent vulnerabilities is to keep IIS/ASP.net/Windows and all of the other SERVER software up to date, in my opinion.  There will not likely EVER be an attack on SomeMomAndPopStore.com, but there are hundreds of attacks meant for IIS or Windows or whatever flavor of web server they happen to use.
0
 
LVL 1

Author Comment

by:miyahira
ID: 39807825
Finally, I know what kind of vulnerabilities testing are they going to perform. They are going to use Qualys Guard Scan and perform "authenticated scans". First time I've heard about that. According to Qualys company, they are very helpful to find security vulnerabilities:

https://community.qualys.com/thread/11562

Any experience with that kind of scans?
0
 
LVL 12

Assisted Solution

by:jmcmunn
jmcmunn earned 500 total points
ID: 39808091
I've definitely heard of this type of security testing before, although not referred to exactly this way.  Still the bottom line is I would not give them anything more than they can get as a "public" user or else let them try to hack their way into the system and get their own user name.

Ultimately, a lot of these types of vulnerabilities have nothing to do with the site(s) and more to do with the server back end and the software running the site.  They can test those without accessing your site.  But hey, they are the system admins, so if they insist I guess you don;t have much choice.  I'm hesitant to give out anything more than what I have to, even to people I trust implicitly.  Their user is just one more user that might get exploited.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Evaluating Enterprise Antivirus solutions 2 77
How long to crack a 8 chars alphanumeric password 18 133
exchange 2010 Dag failed 3 67
GPO denied - but why ? 6 57
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question