Standard Operating Procedure

1. How does the scanning tool work?

The web application vulnerability scanning tool scans web applications for potential vulnerabilities. This tool differs from general vulnerability assessment tools in that it does not perform a broad range of checks on a myriad of software and hardware. Instead, it performs other security and compliance checks, such as potential field manipulation and cookie poisoning, which allows a more focused assessment of web applications by exposing vulnerabilities of which other vulnerability scanning tools are unaware.   It can be used in test, development and production instances to find all linked pages and to check sites for such vulnerabilities as SQL injection, cross-site scripting and buffer overflows.

The scanning tool produces a detailed security report, including best practices in each of the key programming languages, examples of the type of vulnerability identified and instructions for remediating or mitigating it.

The tool assigns a vulnerability category and a severity level for each vulnerability detected.  Vulnerability categories are:

1. High Severity Problems
2. Medium Severity Problems
3. Low Severity Problems

The vulnerability classification helps to prioritize scan results.

1. Scans conducted by Information Security – Registered Servers

Information Security may coordinate and conduct non-credentialed scans to reduce the vulnerability of University applications to security and compliance risks.  The scan process involves four possible steps:

1. Schedule/Notification – Registered servers hosting web applications handling or managing confidential university data may be scheduled for regular monthly scans. Web masters or system administrators are responsible for requesting a scan upon modification of web code.  Web masters or system administrators must contact Information Security to schedule or confirm time periods to run the scan, as well as which applications to scan.
2. Scan- The scan tool performs vulnerability tests and produces a vulnerability report.
3. Report Distribution - All technical scan reports are sent to the system administrator or web master which may include additional details that will mitigate the identified vulnerability. A copy of the scan report is filed in the Information Security office.
4. Re-scan (as necessary) - Re-scans are scheduled when a notification is received that previously identified vulnerabilities have been resolved.  A copy of the scan report is filed in the Information Security Office.

A department or division will be expected to remediate or mitigate confirmed high level vulnerabilities, for currently registered servers, within a reasonable timeframe established in conjunction with Information Security. See section 5 for exception handling.

Scans Conducted by Information Security – New Server Registration

Information Security may coordinate and conduct non-credentialed scans to reduce the vulnerability of University applications to security and compliance risks.  The scan process involves four possible steps:

1. Schedule/Notification – Newly registered servers hosting web applications are scanned before they are granted access to publicly host web content. Newly registered servers hosting web applications handling or managing confidential university data may be scheduled for regular monthly scans.
2. Scan- The scan tool performs vulnerability tests and produces a vulnerability report.
3. Report Distribution - All technical scan reports are sent to the system administrator or web master which may include additional details that will mitigate the identified vulnerability. A copy of the scan report is filed in the Information Security office.
4. Re-scan (as necessary) - Re-scans are scheduled when a notification is received that previously identified vulnerabilities have been resolved.  A copy of the scan report is filed in the Information Security Office.

All vulnerabilities identified in newly registered servers must be addressed before a server is granted access to publicly host web content. Upon completion of this requirement, registered servers will be subject to the steps in section 2. See section 5 for exception handling.

Unscheduled scans conducted by Information Security

Information Security may conduct unscheduled scans against any web enabled device to reduce the vulnerability of University computers to attacks, denial of service and other security risks from both inside and outside the University, or to investigate a security incident. A department or division will be expected to remediate or mitigate confirmed high level vulnerabilities within a reasonable timeframe established in conjunction with Information Security.

1. Exception Handling

The web master or system administrator will document any high-risk or important vulnerabilities remaining un-remediated beyond a reasonable timeframe previously established with Information Security. If it is determined that corrective action cannot or should not be taken, an exception must be approved by the CISO in accordance with the Exceptions Procedure.