Educause Security Discussion mailing list archives
Re: scanning of web applications
From: Jon Hanny <jehanny () GWU EDU>
Date: Fri, 13 Nov 2009 09:49:58 -0500
We developed an Application Security program based on FIPS and NIST. We use Web Inspect, and conduct manual testing as well. We have also used Cenzic Hailstorm. Any application system that is to be added to our IP space must go through the program and be granted autorization to operate. When a given system goes through App Sec, an accrediation package is associated with it. This package is a binder that has all the security information (excluding firewall rules at this point) related to the given system. I can provide more information off-line if you like. Respectfully, Jon Hanny, CISSP Application Security Specialist The George Washington University 703-726-4469 <mailto:jehanny () gwu edu> jehanny () gwu edu <mailto:appsec () gwu edu> appsec () gwu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Jalso Sent: Thursday, November 12, 2009 4:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: scanning of web applications We're developing a process to scan in-house developed web based applications. The tool we're using is IBM's AppScan standard edition. I was wondering if anyone else has started or completed such an initiative? If so, what were the deliverables of the project and what were the results? Thanks. Alex Jalso, PMP Senior Project Manager Office of Information Security West Virginia University phone: 304-293-4457
Current thread:
- scanning of web applications Alex Jalso (Nov 12)
- <Possible follow-ups>
- Re: scanning of web applications Jon Hanny (Nov 13)