application vulnerability scanning solutions in use

["Shamblin, Quinn" <qrs () BU EDU>]

Hello All,

A few questions related to application vulnerability scanning and management:


*         Do you have a program to ensure that applications are tested for vulnerabilities?

o   Is it embedded in the application QA or release process, or is scanning done once the app is in prod (or both)?

o   Who runs the tests?  (Developers?  QA?  InfoSec personnel?  Other?)

*         What tool do you use for static cost testing?

*         What tool do you use for dynamic code testing?

o   Do you credentialed scans or anonymous only?

This question was cross posted to educause and Ren-Isac.  I will post some de-identified statistical results back to 
both lists.

Thanks all!

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  -  O 617-358-6310  M 617-999-7523