Preparations

How do you prepare for a scan?

To perform an effective scan and to limit problems during the scan, extensive preparation is necessary. After sending you the scan announcement, we start mapping out the website and testing the log in automatically using the scanner (if there is a customer account on your website). Preparations can cause a small increase in traffic on your website. The actual scan will be performed in the announced week (or agreed upon date).

Which preparations should I be taking?

To make sure the scan will run without issues, the following needs to have been arranged:

To prevent our scanner from getting blocked during the scan, our IP addresses need to be whitelisted: 144.24.249.196 and 132.226.222.205 and 154.16.73.227. Our scanner will use a random IP-address from this range for the scan. Our user agent can be recognised by the word “ForusP”.
If you have pages behind a login that is protected by a reCaptcha, you will need to disable this reCaptcha during the scan (max. 25 hours) or you can whitelist the IP-addresses for our scanner. Any other reCaptchas do not need to be disabled. It is extremely important for us to be able to scan behind the login, especially when personal data is stored.
Lots of emails and/or orders from our email account veiligheidsscan@forus-p.nl means your website will allow this without restriction. And if we can cause this, anyone else can as well! A reCaptcha on all forms and/or a redirect/blacklisting on your mail server can help prevent this.
Please check the backup procedure of your site before we execute the scan.

Can I ask for a specific scan date and/or start time?

Yes you can. We can start scans 24/7.

Can I ask for a time limit?

No you cannot. Our scanner needs up to 25 hours to complete a scan. By using a time limit there is a high probability the scan will not be performed in full and will miss possible vulnerabilities. Basically we cannot guarantee the quality of the scan when a time limit is in place.

Can the scan be performed on a test environment?

Because test environments often cause issues and slight differences, we prefer to scan on live websites.

For Thuiswinkel members we will only scan live environments. If this is not possible, please contact Thuiswinkel.

Can you scan without the login?

We will perform the security scan on the entire website. The login is important as vulnerabilities are often found behind the login and can be abused by hackers.

Can you exclude a subdomain?

We will perform the security scan on the entire website. It is important to include subdomains, especially if there is a direct link from the main website. Vulnerabilities can be found just as easily on subdomains.

I have multiple identical sites on the same server; do they all need to be scanned?

Sites are often truly identical when using a language module. If there are multiple copies of a site (even just for language), small differences can occur, for example by using different plugins. A difference can also occur because an update was not performed on all sites. Any vulnerabilities will always need to be fixed on all sites.

Why do I have to disable the Captcha on the login page?

Our scanner needs to be able to log in automatically. This will allow us to scan everything behind the login. It is important, especially since this is usually where personal data is stored. Any Captchas on forms can remain in place, just not the Captcha used for the login. You can either disable this specific reCaptcha for the duration of the scan (max. 25 hours) or you can whitelist the IP addresses of our scanner for that specific Captcha (144.24.249.196 and 132.226.222.205 and 154.16.73.227).

Why is our firewall (an important part of our security) being bypassed?

A firewall will most likely categorise our scanner as a bot and will block us. A hacker can often find and abuse vulnerabilities manually. A firewall can help prevent some attacks (automatic and manual) but certainly not all. There are plenty of vulnerabilities that can be exploited within the intervention of a firewall.

Whitelisting our IP-range can be done temporarily for the duration of the scan. You can always contact us to agree on a specific date/start time by sending an email to support@forus-p.com.

We check the security of our website on a regular basis: is your scan necessary?

You can submit your own security report (for example a pentest report) which must include the scan date, who performed the scan and a short summary that shows no high risk issues were found. We would like to point out that we have been known to find high risk issues even though a pentest did not identify them.