Production-safe scanning methodology

Am I introducing a new methodology or a new terminology? No, I am just highlighting how safe scanning can be done in the production environment. Production safe scanning aka passive scanning is just another type of scanning where the sole purpose is to passively analyze the environment without disturbing it. In passive scanning both manual and tool scanning is done with safe policy (safe configurations & payloads).

Most of the security tests are generally done actively so as to gather more and more vulnerabilities by exploiting the staged/test environment. But if the environment is production (live!) the active scanning may disrupt the normal functioning of the system. In such cases passive scanning represents another interesting alternative, which aims to detect faults by passively observing the implementation input/output actions without interrupting its normal behavior. Passive scanning has been studied with interest in recent years and this article focuses on how safe scan can be performed in production environment in different phases of testing.

  • Planning
    • In planning phase analysts have to understand the requirements of the customers and accordingly define the scope of the scanning. This has to be done accurately because the environment at stake is production and we can’t afford to cause any disruption to its operation.
    • For passive scanning one has to set rules of the engagement, the deadlines to be adhered to and escalation matrix to reach appropriate stakeholders if anything goes wrong.
  • Information Gathering
    • The most important is the information gathering phase when we should identify all sensitive areas/pages of the application and remove them from the scope of scanning. For example, put the pages in the exclusion list of the scanning environment so that the automated tools do not perform scan on the sensitive areas.
    • We need to gather information about their business timings and accordingly schedule the tests.
    • If there are third party cloud services then it becomes very essential to get approvals before proceeding with the test.
  • Discover Vulnerabilities
    • In the automated scan phase we need to take care that the tool does not cause a Denial of Service (DOS) in the production environment by its continuous payloads and requests. We should perform the scan with less system load, i.e., as a single-threaded user.
    • Tool configurations are done for a safe scanning, for example, we have to restrict the web forms from submitting data automatically through the tool, instead custom configure them with valid data to assist the scans.
    • In manual analysis all web forms should be manually checked and the parameters verified and are ensured safe for submission before conducting the automated scan. This ensures that no garbage data is entered into the application in the production environment.
    • We always need to use safe payloads in manual approach and avoid the vulnerabilities which has a possibility to create Denial of Service(DOS) like Cross-site scripting, SQL Injection, Privilege Escalation, PUT/DELETE methods, etc.
    • For applications to be scanned in production environment, we have to ensure that a pilot scan is successfully executed on a QA/ testing environment (replica of production environment) beforehand. This needs to be done to ensure that all the scan settings are production safe and there are least possible chances of hampering the production environment in any manner.
  • Reporting
    • The testers should document all interaction with the production environment and the most important is to log the start and end times of test runs as approved.
    • A comprehensive report with thorough analysis and remediation plan must be made ready for the customers

Security tests in production has become a trend nowadays. Drive for this trend is evolving from organizations who are facing trouble in creating staged/test environments as a replica of production. IT systems are becoming more and more complex and the restrictions of budget to keep these environments live are difficult to maintain and afford.

Considering the possible limitations we conclude that scanning in production is very much possible and can be taken up with best practices and safe measures. The more we research here the more extensive is our takeaway. However whether we do a passive scanning or active scanning the beneath holds true in all situations

The most proficient asset and expertise a tester can offer, is their THINKING

Authored by Sweta Sabat

Rate this article: 
Average: 3.7 (3 votes)
Article category: 

There are 2 Comments

Nice piece of information Sweta . This clarity is highly essential for client seeking service in production environment.

Thanks Sweta. This sounds like a very interesting and usable methodology. However, you propose to exclude all the sensitive areas/ pages of the application. In that case, won't the value of the testing get massively reduced?