The web application scanning service helps identify security vulnerabilities in internally managed web applications using the Tenable platform.

Vulnerability scanning is required for all organizational systems by the university’s Information Security Control Standard (control RA-2), which states that scanning must occur “periodically and when new vulnerabilities affecting those systems and applications are identified”.

The service offers two main variations of scans. Applications can be scanned in an authenticated mode (where user credentials are supplied, giving a deeper view into the application’s security posture) or unauthenticated mode (a more surface-level scan that identifies externally visible issues). Scans may also be requested as quick scans, which provide a high-level check in a short time, or as comprehensive scans, which take longer and provide a deeper analysis of vulnerabilities.

This service is available to faculty and staff who manage web applications. Examples include WordPress websites, Pepper applications and commercial applications such as REDCap. It is not intended for student use or for third-party hosted services.

Only service owners (or designated staff) with authority to approve scans and apply mitigations may request scans. Approval from the service owner is required.

• Before go-live of a new web application
• After significant changes to an existing application

Note: Production scans are strongly discouraged unless there is no alternative, as they may cause disruption.

• A report of vulnerability scan results for your web application
• By request, an additional summary of scan findings and recommendations (subject to staff availability)

• Remediation. The Risk Management team can provide limited advisory support if specifically requested, but requestors are responsible for reviewing and acting on scan results.
• Continuous scanning. (Scans operate on request only.)
• This is not a penetration testing service.

There is no cost to the requestor for standard web application scanning requests. However, licensing limitations may impact scan availability.