Once you add your web applications, you can scan your web applications for security risks - vulnerabilities, malware, sensitive contents - and get recommended fixes.
Potential impact of scan
Web application scans submit forms with the test data that depend on the privileges of the credentials that are used in the authentication record. This can have undesired effects and can potentially impact the data.
To avoid undesired changes in the target application, it is recommended to use one of the following option:
- Use the credentials with read-only access to applications.
- Add configurations for exclude lists, POST data exclude lists, and/or select the GET only method within the option profile.
Keep in mind when these configurations are used instead of test data (credentials with read-only permissions), testing of certain areas of the web application is not included and any vulnerabilities that exist in these areas may not be detected.
It is recommended to perform a discovery scan first. A discovery scan finds information about your web application without performing vulnerability testing. This helps to validate the scope settings and verify authentication. It also identifies whether there are URIs should be added to the Exclude list for vulnerability scans. For details on how to launch the discovery scan, see Launch Discovery Scan.
A vulnerability scan performs vulnerability checks and sensitive content checks to tell you about the security posture of your web application. For details on how to launch a vulnerability scan, see Launch Vulnerability Scan.
You can schedule web application scans to run automatically, on a regular basis. Scheduling scans can help have the most up-to-date security information in your account.
For details on scheduling scans, see Schedule a scan.