Web App Scanning
Step 1. Read the FAQs
Step 2. Allow these IP addresses through your firewall
Step 3. If your site does NOT use ASU's Single Sign-On, give normal end-user access to ASURITE "jdsmit31"
Step 4. Back up your site. (Scans can be destructive.)
We are currently offering web application scanning services by request through a ServiceNow ticket.
In addition, we have set up a developer environment for self-scanning between official scans. To request access, please submit a ServiceNow request.
Requesting a Scan
What info do I need to provide to request a scan?
- Business unit
- Application name
- Application URL
- Brief description of application's purpose
- Web steward
- Technical admin
- Availability rating (Tier 1, Tier 2, Tier 3)
- Data rating (HIPAA/FERPA/etc.)
- Criticality rating (high/medium/low)
- 3rd-party hosted?
- Site behind a firewall?
How do I choose a web steward and tech admin?
Your web steward should be the person who is responsible for your website or app from a business perspective.
Your technical admin is the ASU employee or third party with the skill and availability to maintain your website, including timely and effective response to security issues.
Which business unit is my site in?
What is my site's criticality rating?
The criticality rating for a site or app is determined by the data it has access to (data rating) and how important the site is to ASU's business purposes (availability rating).
|Data Rating||Availibility Rating||Criticality||Scanning Schedule|
Highly Sensitive Data or Sensitive Data which is the authoritative source
Tier 1 – Mission Critical
Twice per year
Tier 2 – Enterprise
Once per year
Internal (Non-sensitive)/Public Data
Tier 3 – All other
By random selection
Data Ratings (sensitive, internal, etc.) are delineated on page 2 of ISO's Data Handling Standard.
- Tier 1 - Core websites that are important to all of ASU. These are defined by the CISO, CIO, and other executive leadership. They are sites that ASU can't do business without. Examples:
- Learning management systems
- Payroll systems
- Administration systems
- Tier 2 - Enterprise-wide systems that are used by most students or employees such as MyASU and other online learning systems use in for-credit classes.
- Tier 3 - All other sites fall under Tier 3, including department-specific websites.
Do my development and QA sites also need to be scanned?
Not necessarily. Development sites will never be scanned by ISO or the scanning team. QA sites may sometimes be scanned in place of production sites.
If you have dev, QA, and prod instances, AND QA is an exact mirror of prod, you can register your QA site for scanning instead of prod.
If you only have dev and prod instances, register your prod site for scanning.
My app requires that users login with ASURITE credentials. Can the scanner do that?
Yes. If your site/app requires a login, you must give access to our "dummy" ASURITE account, jdsmit31. Only give jdsmit31 normal end-user access. DO NOT give this account admin, root, or any other advanced access or your data may be lost or corrupted. You are responsible for backing up your site before scanning in the event that data loss or corruption occur.
Should I backup my site beforehand?
Yes, it is always a good idea to have timely backups in case you need to restore. Scans can be destructive.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is an assessment using an automated tool to perform nonintrusive Blackbox testing of common web vulnerabilities, like OWASP Top Ten (i.e. cross-site scripting, injection, session management, configuration isues, etc.). The end result will be a formal report listing vulnerabilities and remediation recommendations.
A penetration test is a manual test done by a professional and is designed with an adversarial intent to gain unauthorized access to portions of network and web applications from several perspectives: that of a trusted user or that of an adversary from either the inside, remotely, or externally to find vulnerabilites that an attacker could exploit.
What is the purpose of Web Application Security Scanning?
Web Application Security Scanning enables organizations to assess, track and remediate web application vulnerabilities. Web application security vulnerabilities usually stem from misconfigurations or programming errors with a web application programming language (e.g., Java, .NET, PHP, Python, Perl, and Ruby), a code library, design pattern, or architecture.
If you have a question regarding scanning or vulnerability management processes overall, please ask the ASU Vulnerability Management Team through ServiceNow.