We are a company with many asp.net applications developed by ourselves and running. An external security company is offering us to test vulnerabilities using Qualys Guard. For that, between other things, they are asking us to provide them userid and password (read-only access) for each asp.net application that are going to test.
Is that necessary? Why would they need to have userid and password of an asp.net application? What kind of authentication tests would be going to do? I suposse that, in any case, if they want to test levels of access, they would need several kind of accounts (like admin user, standard user, etc) and not just one. We think that is quite awkard to be asked for userid and password for testing vulnerabilities.