Do You Scan with Network Security Controls Enabled or Disabled?

As application security professionals, we want to get as much as possible out of our security assessments. We’re not only expected to but we’re proud of our work and want to provide the best results and most value possible. As I’ve written in a previous article about how to  plan your web security assessments, ensuring you have your ducks in a row before you start your testing is crucial. Planning is key. But there’s one literal roadblock to web application testing that’s often overlooked – or comes as an afterthought: firewalls and intrusion prevention systems. What do you do about those pesky network security controls that keep blocking your scans?
The answer seems obvious: just setup trusting rules so that you can have unfettered access to the application. Simple enough, right? Well, not really. The minute you do that you’re changing the real-world view of the application. Why not just test it as the bad guys see it and be done with it? That’s a great point and along the lines of the age-old black box/white box/gray box testing debate. I’m just not convinced that’s the best approach for managing overall risks. Oh, and for larger organizations with complex (continue reading...)