[OWASP-Security101] Scanning Production Services?

us1903 sharu89 at gmail.com
Fri Apr 13 12:12:13 UTC 2012

Hi Patrick,

When you say scanners are destructive to a site, do you mean the
performance issue when the scans are running? As for the destruction it can
cause in the database, you can scan the application in the production
environment by making a blacklist. This blacklist will contain all the
URLs/requests that can modify content in the database. Exclude all such
requests from the scanner for the production environment. Although, making
the blacklist is time-consuming and you will have to hand-pick the

Yes of-course the blacklisted URLs/requests will have to
be assessed manually or other approaches that are safe.

Sharath Unni

On Fri, Apr 13, 2012 at 5:30 PM, <security101-request at lists.owasp.org>wrote:

> Send Security101 mailing list submissions to
>        security101 at lists.owasp.org
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/security101
> or, via email, send a message with subject or body 'help' to
>        security101-request at lists.owasp.org
> You can reach the person managing the list at
>        security101-owner at lists.owasp.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Security101 digest..."
> Today's Topics:
>   1. Scanning Production Services? (Patrick Laverty)
> ----------------------------------------------------------------------
> Message: 1
> Date: Thu, 12 Apr 2012 12:56:05 -0400
> From: Patrick Laverty <patrick_laverty at brown.edu>
> To: security101 at lists.owasp.org
> Subject: [OWASP-Security101] Scanning Production Services?
> Message-ID:
>        <CAHZK5Obq=xAbqc9TOTp+THeCRECEaFTktbCxNjyQm2AsP4Ti_w at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
> What do you do with regard to scanning your production web
> applications? It seems that at least some scanners can be pretty
> destructive to a site and database if they do find vulnerabilities.
> So do you only scan your pre-production environment and then make sure
> there are no more code changes from the time of the pre-prod scan and
> when the code goes live on a production server?
> Thanks.
> Patrick
> ------------------------------
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> End of Security101 Digest, Vol 3, Issue 8
> *****************************************


Disclaimer: "This email may feature some ideas that might be a little evil
or at least require some flexible ethics. Some things will be downright
horrible, and you should not do them, but are either for your information
or simply for the point of interest. Your judgment and actions are your
own, so think before you do anything you read and only use your dark side
for good."

[image: Please consider the environment before printing]

More information about the Security101 mailing list