tag:blogger.com,1999:blog-13756280.post1354537617226978631..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Production-Safe Website Scanning QuestionnaireJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-13756280.post-34805773112892755802009-09-24T11:38:54.566-07:002009-09-24T11:38:54.566-07:00The only issue we've had with scanning in prod...The only issue we've had with scanning in production is the large amount of exception notification emails (via Microsoft.EnterprizeLibrary)that we were previously unaccustomed to seeing.James Dorriannoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-59178284359238231902009-09-21T16:36:51.011-07:002009-09-21T16:36:51.011-07:00That's why I mean, Nitin.
Production web site...That's why I mean, Nitin.<br /><br />Production web sites are used for many various business purposes such as SEO, Page Visit Analysis ..etc - montly/yearly basis. <br /><br />If a vulnerability scanner mess up, then all those stats become unqualified.Unknownhttps://www.blogger.com/profile/01783865663884155509noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-91350909937617993892009-09-21T10:00:59.370-07:002009-09-21T10:00:59.370-07:00From the perspective of a software developer who w...From the perspective of a software developer who writes code and maintains deployments to a production environment, I would say we shouldn't be testing on production servers. Getting testing data off the production servers isn't something the maintenance staff would want to do and the business users wouldn't be very happy if you told them that the statistics reported by your application are inflated figures.<br /><br />Most development teams have either a dedicated QC environment, or a development environment that can be used for the test.Nitin Reddy Katkamhttps://www.blogger.com/profile/09612217398194148324noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-5370617341607399652009-09-05T15:30:19.453-07:002009-09-05T15:30:19.453-07:00For large sites whose source codes are updated reg...For large sites whose source codes are updated regularly, they can syn source updates to testing lab for automatic scanners/pentesters.<br />No need for the fear of disruption.Unknownhttps://www.blogger.com/profile/01783865663884155509noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-87351398603871839202009-09-05T15:21:44.168-07:002009-09-05T15:21:44.168-07:00They can and do from time to time to test is a des...They can and do from time to time to test is a destructive fashion without fear of business disruption.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76446608436353574902009-09-05T15:18:25.654-07:002009-09-05T15:18:25.654-07:00If there is missing something, why should we adher...If there is missing something, why should we adhere to it? Clients by no means should deploy a test environments for us where we can get full simulations like attackers.Unknownhttps://www.blogger.com/profile/01783865663884155509noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-84873467596395345752009-09-05T15:17:33.499-07:002009-09-05T15:17:33.499-07:00@Jackson brings up a good point, the bad guys prob...@Jackson brings up a good point, the bad guys probably don't care a whole lot if they damage a website. And it is also true that any restriction you put on the "good guy" the less accurate the measurement of vulnerability assessment. For most organizations through that difference is acceptable when trying to find exploitable conditions is a "safe" fashion. Anyone can cause a DoS.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89282020088201853362009-09-05T12:30:46.296-07:002009-09-05T12:30:46.296-07:00Does it matter whether they do? The point of vulne...Does it matter whether they do? The point of vulnerability assessment, security testing, or however you liek to call it is not to simulate attacks. The point is to execute testing procedures that tell you where and how a system is vulnerable to attacks. Of course any limitation that you impose on the set of tests allowed bears the risk of missing something. But this risk is inherent in <i>any</i> type of testing, be it only due to time limits.Sven Türpehttp://erichsieht.wordpress.com/category/english/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-53399439301096069222009-09-04T18:15:44.444-07:002009-09-04T18:15:44.444-07:00Do actual attackers take such pre-cautions?Do actual attackers take such pre-cautions?Unknownhttps://www.blogger.com/profile/01783865663884155509noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-77094567473765267912009-09-01T03:56:48.333-07:002009-09-01T03:56:48.333-07:00Shameless self-promotion: we look at production-sa...Shameless self-promotion: we look at production-safety from a testing point of view in our paper: <a href="http://testlab.sit.fraunhofer.de//downloads/Publications/tuerpe_eichler_Testing_production_systems_safely_-_Common_precautions_in_penetration_testing_TAIC_PART_2009.pdf" rel="nofollow">Testing Production Systems Safely: Common Precautions in Penetration Testing</a>. Scanning is just one testing technique, or really a set of techniques. The issue of production-safety however arises whenever one touches production systems for testing. We therefore tried to generalize our discussion of risks and mitigation options.Sven Türpehttp://erichsieht.wordpress.com/category/english/noreply@blogger.com