What practice will not help an incident responder while restoring resources after a web application security incident?

In the context of incident response, particularly after a web application security incident, it's essential to understand the importance of service restoration in ensuring the overall security and functionality of the application. The practice of not restarting any services that were terminated as part of the containment process is crucial.

When services are halted during the containment phase, it's generally to isolate the incident and prevent further damage, such as data loss or unauthorized access. However, as part of the recovery and restoration process, some of these services may need to be restarted carefully and in a controlled manner. If services are not restarted when necessary, this can lead to prolonged downtime, impact user experience, and potentially leave the application in a vulnerable state if any underlying issues remain unresolved during containment.

Therefore, avoiding the restarting of necessary services can hinder recovery and can result in failure to restore normal operations of the application, leading to greater issues down the line.