Educause Security Discussion mailing list archives
Re: Web site security scanning/"certification" services?
From: "O'Callaghan, Daniel" <Daniel.OCallaghan () SINCLAIR EDU>
Date: Mon, 4 Jun 2012 12:41:42 +0000
Do you use a web site security scanning service such as McAfee Secure on your public-facing websites? If so:
- Which service(s) do you use? --McAfee Secure (ScanAlert "Hacker Safe" prior to acquisition) - Are you happy with them? --Mostly. Cost is reasonable. One-time "on-demand" scans are inexpensive. Web developers know vulnerabilities are likely to be caught, so typically are more careful about checking before publishing. Scans are pretty good at identifying XSS, SQL Injection, SSL/Cert issues, etc., and the reports offer suggested remediation. When scans detect something, I can simply attach the report and send it to the developer/admin, they can see where the vulnerability is and how to fix it. - Do they offer a "seal" (little graphic that you display on the site)? --Yes. - If they do offer a seal, do you display it? Why or why not (just curious)? --On some pages/sites. The service was initially requested by our marketing folks, specifically so they could place the logo on any of our sites where personal/sensitive information is collected. I was pleasantly surprised to find the scan data is actually useful. ___________________________________ Daniel V. O'Callaghan, Jr., MBA, CISSP Chief Information Security Officer Sinclair Community College 444 W Third St, 13-000B Dayton, OH 45402 937.512.2452
Current thread:
- Web site security scanning/"certification" services? David Curry (Jun 01)
- Re: Web site security scanning/"certification" services? O'Callaghan, Daniel (Jun 04)