When preparing an automated scan for web applications, here are some key considerations:
- Always prefer a testing environment over a productive one, so if anything goes wrong real data won't be lost or corrupted.
- Ensure there is a recovery mechanism. The application's owners should take preemptive measures so data and code can be recovered in the case of an undesirable outcome.
- Define the scope of scanning. Although we can just launch a scanner against a whole site, it is recommended first to define the tool's configuration so sensitive or unstable parts of the application are left out of the scan, and only the modules specific to the server's architecture and application's development platform are scanned.
- Know your tools. ...