The University web application security assessment program uses commercial software to automatically scan web applications. The goal of the program is to identify vulnerabilities for correction before they can be exploited. The purpose of this procedure is to ensure that security controls are in place and are effective.
How does the assessment tool work?
The web application vulnerability scanning tool scans web applications for potential vulnerabilities. This tool differs from general vulnerability assessment tools in that it does not perform a broad range of checks on a myriad of software and hardware. Instead, it performs other security and compliance checks, such as potential field manipulation and cookie poisoning, which allows a more focused assessment of web applications by exposing vulnerabilities of which other vulnerability scanning tools are unaware. It can be used in test, development and production instances to find all linked pages and to check sites for such vulnerabilities as SQL injection, cross-site scripting and buffer overflows.
- Product description, with demo (external site)
The tool produces a detailed security report, including best practices in each of the key programming languages, examples of the type of vulnerability identified and instructions for remediating or mitigating it. It assigns a vulnerability severity level for each vulnerability detected. Vulnerability levels are high, medium, low and informational. The vulnerability levels help to prioritize scan results.
Under what circumstances may a scan be conducted?
1. Scans conducted by distributed UA IT professionals
Authorized developers, content managers, database administrators and system administrators may scan web applications within their management or administration.
To register for an account, a UA employee must:
- Read the tutorial - HTML or PDF (external IBM site; requires registration) or PDF (requires UA NetID)
- Be confirmed as a UA employee
- Have a legitimate business need
To request an account, qualified persons must contact the Information Security Office (InfoSec) by means of the email address at the bottom of this page with the following information:
- Requestor's name
- Unit name
- Requestor's role (for example, developer, content manager, database administrator or system administrator)
- Requestor's IP address or IP address range
- Proposed date to begin the scan
InfoSec will contact the requestor with additional information and instructions. Access to the tool will be available for 14 days after notification.
2. Scheduled scans conducted by InfoSec/UITS
InfoSec and University Information Technology Services (UITS) may coordinate and conduct scheduled, non-credentialed scans to reduce the vulnerability of University applications to security and compliance risks. The scheduled scan process involves five possible steps:
- Schedule/Notification - Web applications handling or managing confidential university data may be scheduled for regular scans. Web masters or other responsible persons are contacted to schedule or confirm time periods to run the scan, as well as which applications to scan.
- Scan - At the scheduled time and date, the scan tool performs each vulnerability test and produces a vulnerability report.
- Report Distribution - All technical scan reports are sent to the web master or other responsible person with a memo explaining what to do. A copy of the scan report is filed in the InfoSec office.
- Re-scan (as necessary) - Re-scans are scheduled as soon as notification is received that previously identified vulnerabilities have been resolved. A copy of the scan report is filed in the InfoSec office.
Units will be expected to remediate or mitigate confirmed high level vulnerabilities within a reasonable timeframe established in conjunction with InfoSec.
3. Unscheduled scans conducted by InfoSec/UITS
InfoSec and UITS may conduct unscheduled scans to reduce the vulnerability of University applications to security and compliance risks or to investigate a security incident. InfoSec and UITS will use their best efforts to provide notice of and coordinate such scans with units. Units will be expected to remediate or mitigate confirmed high level vulnerabilities within a reasonable timeframe established in conjunction with InfoSec.
All italicized terms used in this standard are defined in the Information Security Terms Guideline.
Authorities:
- Information Security Policy (IS-100)
- Information Security Terms Guideline (IS-G100)
- Exceptions Procedure (IS-P100)
- Data Classification Standard (IS-S302)
- Application Security Standard (IS-S801)
Initial Draft: 11/13/08
UA-ISAC Review: 4/2/09
Effective Date: 7/1/09
