Service accounts vs individual test accounts

Hi everyone,

New to appsec. Curious to know how people have set up their test accounts for scan configs.

  1. One service/test account to allow insightappsec to login and run scans across multiple apps.


  1. Individual test accounts for each of their apps.

With my security hat on, Option 2 is what I go for to mitigate the scenario of a compromised account having access to multiple apps.

Not AppSec specific, but I keep my accounts one-to-one whenever possible.
If I were pen testing, I wouldn’t go for Domain Admin, too many alerts looking for that. I would find a service account used for testing, because these tend to be over provisioned and my activity would blend in not triggering alerts. This is why I am pushing my company to go to Agent based scanning in InsightVM as well, to limit access.

thanks for sharing.

With insightVM, we use agent based scanning for nearly all of our estate and run network scans once a week. This is a good balance for us to get the most coverage possible. Agent reports every 6 hours and network scans cover the external findings once a week.