Production Scan Approach and Risks

Hello, 

We have WebsInepct stand alone version that we use to scan our lower environments before a site/code is deployed to production. Now, we would like to scan production sites as carefully as we can.

Besides having a read-only user for authentication, I was wondering if there is any specific approach you follow  before scanning anything in production? such as using specific built-in scanning policy or create your own? the thing we are concerned about the most is WI injecting data and making changes to underlying code.

Thanks in advance. 

MR.

 

 

  • We created custom policy for scanning our production sites. We started the the Passive Scan policy and added some other checks that we felt were safe to use. Some of the checks added were for TLS issues. We did not add anything related to XSS or SQL Injection and we are not submitting any forms.

    This does not provide us with a full assessment, but does give us some insight into the risk level of these sites.
  • Thank you for sharing this piece of info with us. Looking forward to other responses and thoughts.