Web Application Security Scanning

To help U-M units identify and resolve vulnerabilities in their web applications, ITS Information Assurance (IA) offers web application security scans at no charge on request. Web application scans help you meet your responsibilities for secure coding and vulnerability management. Web application scans are part of a larger toolkit of scanning capabilities that IA provides that include network vulnerability scans and penetration tests.

The automated web app scanner tests for common vulnerabilities specific to web applications, such as SQL injection and cross-site scripting. Web app vulnerabilities typically stem from misconfigurations or programming errors with a web application programming language, code library, design pattern, or architecture.

The scanner crawls a given web application, checking for problems across web servers, proxy servers, web applications, and other web services. After a scan is completed, IA provides the requester with a report detailing any concerns discovered and recommendations for remediation.

Follow the process below to get your web application scanned.

1. Gather Needed Information

  • Application details. The name and URL(s) for your application along with a brief description of its purpose.
  • Authentication. Does your application require authentication? If your application uses Weblogin or other authentication using unique names we can run the scan as a logged in user. If additional access needs to be granted within your application, we can provide user account details when scheduling your app scan.
  • Contact people. You'll need to provide both a business contact (the person making the request, often a project manager or other manager) and a technical contact (the person responsible for maintaining your website who understands your web app details and can respond to security issues).
  • Environment(s). Do you have both production and non-production versions of your web environment?
  • Sensitive data information. If your application interacts with or stores sensitive data, determine the U-M data classification level (Restricted, High, Moderate, or Low) of the data. See these resources for help:
  • Location. Is your site hosted off-campus by a third party? Is it behind a firewall? You may need to update your firewall rules to allow the scanner access.

2. Back Up Your Website/Database

Before requesting a scan, back up your website and/or database. In some cases, scans can corrupt data. It is important to have backups so you can compare or restore if needed.

It is always a good idea to have backups! All U-M institutional data must be backed up. See Back Up U-M Data for specific requirements.

3. Request a Scan

Request a scan using the ITS Web Application Security Scanning Request Form (U-M login required).

Michigan Medicine Code Reviews

For applications developed by or for Michigan Medicine, and that will be used to process data classified as Restricted or High, especially for applications involving Protected Health Information, Michigan Medicine’s Information Assurance office conducts manual code reviews. For more information, contact the Health Information Technology & Services (HITS) Service Desk.