cdjac0bsen
Oct 09, 2017Nimbostratus
Allow vuln scanner or pen tester access dynamically? One time code, OTP, comparison?
We would like to allow vulnerability scanners or pen testers to send requests without being blocked on an ad hoc basis without our intervention. Currently we have to add a temporary IP address exception which requires a policy change to add and then remove it. Not ideal.
Has anyone else done this?
Our testing team suggested adding a header to their requests, something like X-SCAN-TESTING-{OneTimeTokenCode}:{TestersMonthlyTokenCode} (not sure why you'd need both). This is an interesting idea, but how would you generate the code in an iRule to compare it to? Or, rather than generate the code in the iRule, could you make an external call to a location where the OTP was generated and stored?