Web Application Security Assessment

["DiGrazia, Mick A" <mick.digrazia () UCONN EDU>]

I would be interested in hearing about your experience with tools to
perform web application security assessments. In particular:

1. What product are you using at your institution?

2. After the vendor was selected, how much time was needed to implement
the system?

3. What groups were involved in the implementation? Was it just the
security area, or were the server, applications, and other groups
involved? If they were involved, was their time commitment significant?

4. Whose responsibility is it to perform security assessments? Is it the
IT Security Office's role or the web\application developers'?

5. Is there a requirement or policy to assess all applications before
moving to production?

6. Has the use of the assessment tools helped to reduce or eliminate
incidences related to web applications?


Many thanks in advance for your responses.

Kind Regards,

Mick A. DiGrazia
Information Security Analyst
University of Connecticut
mick.digrazia () uconn edu