Web Application FAQs

How do I choose a web steward and technical administrator?

Your web steward should be the person who is responsible for your website or        application from a business perspective. This is the “owned by” entry for the application in CMDB.

Your technical administrator is the ASU employee or third party with the skill and availability to maintain your website, including timely and effective response to security issues. This is the “managed by” entry for the application in CMDB.

Who are my departmental contacts?

List of ASU's business units 

What is my website's criticality rating?

The criticality rating for a website or application is determined by the data it has access to (data rating) and how important the site is to ASU's business purposes (availability rating).

Data Ratings (sensitive, internal, etc.) are delineated on page 2 of the Data Handling Standard.

Availability Ratings

  • Tier 1 - critical websites that are vital to all of ASU. These are defined by the CISO, CIO, and other executive leadership. These are websites that ASU cannot do business without. Examples:
    • Learning management systems
    • Payroll systems
    • Administration systems
    • asu.edu
  • Tier 2 - enterprise-wide systems relied upon by most students and/or employees such as MyASU and other online learning systems used in for-credit classes.
  • Tier 3 - websites including department-specific applications and all other applications.

What instance of my website needs to be scanned? 

The IT Risk Management Chapter or the scanning team scans the production instance. The testing (QA) website may sometimes be scanned in place of production websites.

Please note: In order to scan a QA instance in place of production, QA will need to be an exact replica of the production environment.

What if my website requires authentication, can it still be scanned?

Yes. Single Sign On (SSO) websites will be required to use our designated test account. Standalone websites will need to have a test user created and credentials will need to be provided to us. DO NOT give this account admin, root, or any other advanced access or your data may be lost or corrupted.

Should I backup my website beforehand?

Yes, it is always a good idea to have timely backups in case you need to restore. Scans can be destructive.

What types of risks are involved with scanning my website?

A scan might impact services to your website and possibly cause a large amount of test email messages to be sent. We recommend you temporarily disable the email features when requesting for a scan.

What is the difference between a vulnerability scan and a penetration test?

A vulnerability scan is an assessment using an automated tool to perform nonintrusive Blackbox testing of common web vulnerabilities, like OWASP Top Ten (i.e. cross-site scripting, injection, session management, configuration issues, etc.).  The end result will be a formal report listing vulnerabilities and remediation recommendations.

A penetration test is a manual test done by a professional and is designed with an adversarial intent to gain unauthorized access to portions of network and web applications from several perspectives: that of a trusted user or that of an adversary from either the inside, remotely, or externally to find vulnerabilities that an attacker could exploit.

What is the purpose of Web Application Scanning?

Web Application Scanning enables organizations to assess, track and remediate web application vulnerabilities. Web application vulnerabilities usually stem from misconfigurations or programming errors with a web application programming language (e.g., Java, .NET, PHP, Python, Perl, and Ruby), a code library, design pattern, or architecture.

If you have a question regarding scanning or the vulnerability remediation processes overall, please ask the IT Risk Management chapter through ServiceNow.

 

Have a question we didn't answer? Submit it here.

Requesting a Scan