Manashosting’s System Network Security (SNS) will help you evaluate your web based application’s security posture by scanning it with an automated application vulnerability scanner and review the scanner findings with a designated representative from your unit.

SNS will use IBM’s AppScan, a vulnerability application scanner that searches for vulnerabilities based on general knowledge of what types of vulnerabilities are likely to lead to exploits. The scanner will look for SQL injection, cross-site scripting, improper error handling, and other common vulnerabilities than can lead to a system comprise or defacement. The scanner will interact with your application as a user does, depending upon your application’s functionality this could lead to email generation; data creation, deletion, or edits; script execution; etc. AppScan is best suited for development and testing environments due to its invasive tendencies. If your unit does not have a testing or development environment, please let us know, we will explore alternatives for you.

This service is being offered to the campus free of charge for all web based applications for up to 10 hours of an SNS staff person’s time, this includes building the appropriate scan templates, executing scans and consultation time to review the findings and explain mitigation techniques. Depending upon the size and complexity of your application, we may not be able to scan all of it but we will scan a targeted section that would be most beneficial for your review.

Included in this Review:

Application Scan using IBM’s AppScan

Review the scanner report (s) with you giving guidance on the vulnerabilities, possible remediation options, and false positive verification

Present best coding practices to mitigate the most common threats facing your web applications

Provide useful resources to help with remediation and further explanation (blogs, websites, application security groups, etc.)

Not included:

This is not a full security assessment, but a targeted review of your web based application

Detail coding instructions for remediation in your applications chosen framework or scripting language

The Unit will need to provide:

A brief overview of the system

A designated contact that understands the application to answer questions

Working URLs (non-production environment is preferred)

Test user credentials, if applicable

Times the application is available for scanning

Scanning is an invasive process your application may experience the following:

Excess web log files generated

Possible email generation, if the application has automated email notices to sa, developers, etc.

Possible script execution to external systems

Possible Record modification (update, insert, delete)

Performance degradation