This article prescribes procedures for performing vulnerability scans on web applications that process Level 1 data before the websites are placed into production, and regularly thereafter.
To safeguard sensitive data, the campus will perform the following actions:
- The campus ISO will continue current training, communication, and coordination with campus IT Coordinators, Deans, AVP’s and the campus IT community on important security policies, practices, and processes. This includes reminders of responsibilities surrounding the safeguarding of Level 1 data.
- For web applications that process Level 1 data, code will be developed by web application developers and tested in a secure, non-production environment. Before it is moved to production, the developer must have it scanned by ITS for vulnerabilities and advise their Dean or AVP. (see defined process)
- ITS will scan the code (using a tool that is currently being procured). The resulting report from the scan will be stored on a secure server and shared with the campus ISO. The campus ISO will then review the report with the Dean or AVP overseeing their IT Coordinator / Web Application Developer for any needed code remediation identified by the scanning tool.
- Once the code has been cleanly scanned, and the ISO has signed off, the Dean / AVP will approve moving the web application code to production by the IT Coordinator / Web Application Developer.
- Once code is in production, IT Coordinators and Web Application Developers will follow the procedure above annually to have the code rescanned, or whenever code is revised, and will obtain approval from their Dean / AVP prior to moving any revised or new code into production. The campus ISO will be notified.
- After each scan, the ISO will keep a log of scans and work with ITS to identify false positives and improve the scanning process.
- ITS is currently procuring the Qualys module that will enable scanning of web application code. ITS will provide the service of web application scanning of Level 1 data upon request.
Process Flow Diagram
(click to enlarge)