To help U-M units identify and resolve vulnerabilities in their web applications, ITS Information Assurance (IA) offers access to the Tenable web application security scanner at no charge. Tenable empowers units to conduct and manage their own scans, streamlining the process and reducing wait times for results. Web application scans help you meet your responsibilities for secure coding and vulnerability management. Web application scans are part of a larger toolkit of scanning capabilities that IA provides that include network vulnerability scans and penetration tests.
In addition to utilizing Tenable web application security scanning, units may submit a request to IA for web application security scanning. That process is described below.
About the Scanner
The automated web app scanner tests for common vulnerabilities specific to web applications, such as SQL injection and cross-site scripting. Web app vulnerabilities typically stem from misconfigurations or programming errors with a web application programming language, code library, design pattern, or architecture.
The scanner crawls a given web application, checking for problems across web servers, proxy servers, web applications, and other web services. After a scan is completed, IA provides the requester with a report detailing any concerns discovered and recommendations for remediation.
Follow the process below to get your web application scanned.
1. Gather Needed Information
- Application details. The name and URL(s) for your application along with a brief description of its purpose.
- Authentication. Does your application require authentication? If your application uses U-M single sign-on or other authentication using unique names we can run the scan as a logged in user. If additional access needs to be granted within your application, we can provide user account details when scheduling your app scan.
- Contact people. You'll need to provide both a business contact (the person making the request, often a project manager or other manager) and a technical contact (the person responsible for maintaining your website who understands your web app details and can respond to security issues).
- Environment(s). Do you have both production and non-production versions of your web environment?
- Sensitive data information. If your application interacts with or stores sensitive data, determine the U-M data classification level (Restricted, High, Moderate, or Low) of the data. See these resources for help:
- Location. Is your site hosted off-campus by a third party? Is it behind a firewall? You may need to update your firewall rules to allow the scanner access.
2. Back Up Your Website/Database
Before requesting a scan, back up your website and/or database. In some cases, scans can corrupt data. It is important to have backups so you can compare or restore if needed.
It is always a good idea to have backups! All U-M institutional data must be backed up. See Back Up U-M Data for specific requirements.
3. Request a Scan
Request a scan using the ITS Web Application Security Scanning Request Form (U-M login required).
Michigan Medicine Code Reviews
For applications developed by or for Michigan Medicine, and that will be used to process data classified as Restricted or High, especially for applications involving Protected Health Information, Michigan Medicine’s Information Assurance office conducts manual code reviews. For more information, contact the Health Information Technology & Services (HITS) Service Desk.