services

Vulnerability Assessment requirements

The Web Application Assessment service is used to identify vulnerabilities in development and production websites. We use a combination of dynamic scanners, open source tools/scripts and manual testing to test your site. When deciding whether to have your site scanned or not, please see the guidelines put forth in AD95, specifically the Secure Coding and Application Security Standard.

Our current SLA for scan completion is: 2 weeks

Before submitting an application, please read our recommendations to prepare for the scan below:

• If you have a firewall protecting your site, please allow the scanner IP address (172.28.246.79) in through your firewall. You can limit the ports the scanner IP address can access by limiting your firewall rule to the standard 80/443 web ports.
• If you have a development environment for your sites, it is preferable to scan those versus a production site. Scanners submit thousands of requests against a site, so this can sometimes have an impact on a production site. We understand not every group has a development environment, so we will work with you to scan against a production environment if necessary.
• Make sure your web servers and any backend DB’s are backed up. While scans have never corrupted a site, there is always a possibility due to the types of attacks that attempt to trigger DB commands. Scanners can and will submit any forms they find, so a db could become filled with junk data.
• If your website has forms that send out email, please disable these forms temporarily while we scan. There is the potential for the scanner to submit a form thousands of times, potentially sending out thousands of emails.

Web Application Assessment Request Form