It's expected from a Live web application users will alter data. So what TenTenths wrote about making backups partially addresses that in that you have a data set that is (or should be) consistent up to the point that you start your pentest. Note prevention means keeping damage from happening, as in: inline IDS, reverse proxy, application firewall, well vetted code.
I agree you should not run pentests on Live production targets but on your staging area.
Then again some people only learn things the hard way...
|