UISO uses an application by WatchFire called AppScan.
The Web Scanner attempts to discover vulnerabilities in your Web site in the same way the Network Scanner looks for vulnerabilities on your host. The application starts by indexing your entire site looking for Web pages. It then determines which tests it needs to run based on the type of Web site/pages present.
A scan can take anywhere from 10 minutes to 10 hours, depending on the size of the site and how many advanced features the site employs. Generally speaking, the more complicated the site, the longer it will take.
Web scans currently only originate from one server, iu-uiso-appscan.ads.iu.edu (10.234.125.152). Please be sure your website is accessible from that address.
Please note, if your host is regularly scanned by the network scanner then you should already have exempted this IP address.
You do have your host regularly scanned by the network scanner, right? :)
A better question might be “Why wouldn't you want it scanned?” What would be the damage if someone broke into your Web site? Is there sensitive data present? Would you be liable under the law? What would happen if your Web site were defaced? What if it were used to distribute illegal content?
System administrators face these sorts of concerns every day. A vulnerability scan doesn’t completely eliminate the risks, but better that you’re aware of any system flaws first, before an attacker. Additionally, any action you take to increase security on your systems will help secure the entire IU network overall.
As with any sort of vulnerability scan, there are some inherent risks — including performance reductions, denial of service and aggregation of garbage data.
These risks are minimal, however, and the advantages of discovering security in holes in your Web application clearly outweigh temporary variations arising from a scan. Further, remember that anyone with access to your site can perform the same procedures that ITSO offers — meaning it’s better for everyone to catch vulnerabilities upfront, rather than have them exploted by someone with nefarious intentions.
Because of the number of variables associated with Web application vulnerability testing, all scans performed are currently done manually. If you would like to schedule one of these scans please email scanner-admin@itso.iu.edu.
Yes. As part of the process the scanner will actively try to fill out Web forms and submit data. This is so that it can try to identify vulnerabilities including SQL injection and cross site scripting. The testing data submitted should be obvious to the site owner.
It can be run on both. While UISO has no problem scanning a production server, variables such as slower traffic may exist during regular hours – which may necessitate a less convenient off-peak scan. Conversely, scanning a development server can eliminate possible problems before they reach the production environment, but if the production server is not 100% exact copy of the production server, the results may not be as reliable.
The Web Scanner is able to create reports with as little or as much information as you would like. Generally speaking you'll get an overview of the issues found and a list of remediation tasks. However, more information can be included such as code samples and verbose explanations.
ITSO also offer reports that will show regulatory compliance including PCI-DSS. Please note that this is different than a full PCI-DSS audit, but should give you a good idea of where you stand.
Additionally, 'delta analyses' are also possible, as to highlight the impact of changes/upgrades to your system.
All reports are currently offered in PDF format.
There is no standard answer, as it depends on a number of factors. Have there been any significant changes made to the Web site? Have you performed any operating system/server updates? Have you had any recent security incidents? How much traffic does your site get on a daily/weekly/monthly/annual basis? How sensitive is the data stored on your server?
Answering these questions should make some sort of time frame self-apparent. For more information, feel free to e-mail scanner-admin@itso.iu.edu for additional assistance.
E-mail scanner-admin@itso.iu.edu. We'll need to know a bit about the system, what it is used for, etc. If it is a password protected site, we'll need to have an account added to give us access. If you need multiple people in your department to have access to the reports, we'll need their user names as well.
We'll need to have the date and time at which you would like to have this scan done. It must be started during business hours and ITSO requests that you be present at the commencement to identify any major issues that may arise.
Also, if you are looking for anything specific please let us know. Since this is a hands on process we are able to give a lot of attention to these scans and somewhat customize it for you.
Your first line of support should come from your department's local support provider (LSP). If you are an LSP, you should consult with LSP Services, who can guide you to various resources, documents and available training sessions.
The Open Web Application Security Project (OWASP) contains a great deal of information. Specifically, the OWASP Top 10 (PDF) document details the top 10 security issues identified on the Web today.
SANS is always an excellent resource for Internet security, as is the Web Application Security Consortium (WASC).
Finally, LSP Services has a wealth of information about this and other related topics.
Yes. Please be sure to notify your supervisor, colleagues, LSPs and anyone else who has a stake in the Web site/service being scanned. This will appear to be an attack and you might cause some unintentional panic if people are not properly informed.