Web Application Scanning (Tenable)
Overview and Key Features:
The web application scanning service helps identify security vulnerabilities in internally managed web applications using the Tenable platform.
Vulnerability scanning is required for all organizational systems by the university’s Information Security Control Standard (control RA-2), which states that scanning must occur “periodically and when new vulnerabilities affecting those systems and applications are identified”.
This service is available to faculty and staff who manage web applications. Examples include WordPress websites, Pepper applications and commercial applications such as REDCap. It is not intended for student use or for third-party hosted services.
When to request a scan:
- Before go-live of a new web application
- After significant changes to an existing application
Note: Production scans are strongly discouraged unless there is no alternative, as they may cause disruption.
Getting Started:
Submit a request via the Enterprise Service Centre (ServiceNow).
- The request form will require you to provide the application details (e.g. URL, hosting environment, criticality level).
- The Risk Management team will schedule and execute the scan based on priority and availability.
- Once completed, a report will be attached to your Enterprise Service Centre ticket with scan findings and recommendations.
Requestor requirements
- Must be the service or application owner or have written approval
- Must have authority to approve scans and implement mitigations
Get Help:
For troubleshooting, inquiries or scan-related support, please use one of the following options:
- Submit a general inquiry to the Risk Management team through the Enterprise Service Centre.
- Contact your unit information security lead for additional assistance.