• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 350
  • Last Modified:

Is it needed userid and password for testing vulnerabilities in a website?

We are a company that has many web application developed in ASP.NET. Our Internet Service Provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them userid and password (read-only access) for each web site.

It's the first time that I heard that for testing vulnerabilities in websites you need to inform userid and password to an IPS. Is it not supposed that for testing vulnerabilities you should try to break or hack websites without knowing that precious info?

Or maybe that is difference between Vulnerability Testing and Penetration Testing?
  • 2
2 Solutions
I don't know what kind of contracts you have signed with them, but I would be very hesitant to hand over any user name and passwords to any organization.  If they want to scan their own servers and sites hosted on their servers for vulnerabilities without getting access from your database, I suppose that probably comes with their ownership of the servers.  But to give them an account in your database seems sketchy.

Also, the best thing they can do to prevent vulnerabilities is to keep IIS/ASP.net/Windows and all of the other SERVER software up to date, in my opinion.  There will not likely EVER be an attack on SomeMomAndPopStore.com, but there are hundreds of attacks meant for IIS or Windows or whatever flavor of web server they happen to use.
miyahiraAuthor Commented:
Finally, I know what kind of vulnerabilities testing are they going to perform. They are going to use Qualys Guard Scan and perform "authenticated scans". First time I've heard about that. According to Qualys company, they are very helpful to find security vulnerabilities:


Any experience with that kind of scans?
I've definitely heard of this type of security testing before, although not referred to exactly this way.  Still the bottom line is I would not give them anything more than they can get as a "public" user or else let them try to hack their way into the system and get their own user name.

Ultimately, a lot of these types of vulnerabilities have nothing to do with the site(s) and more to do with the server back end and the software running the site.  They can test those without accessing your site.  But hey, they are the system admins, so if they insist I guess you don;t have much choice.  I'm hesitant to give out anything more than what I have to, even to people I trust implicitly.  Their user is just one more user that might get exploited.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now