Re: scanning of web applications

[Jon Hanny <jehanny () GWU EDU>]

We developed an Application Security program based on FIPS and NIST. We use
Web Inspect, and conduct manual testing as well. We have also used Cenzic
Hailstorm. Any application system that is to be added to our IP space must
go through the program and be granted autorization to operate. When a given
system goes through App Sec, an accrediation package is associated with it.
This package is a binder that has all the security information (excluding
firewall rules at this point) related to the given system. I can provide
more information off-line if you like.



Respectfully,



Jon Hanny, CISSP

Application Security Specialist

The George Washington University

703-726-4469

 <mailto:jehanny () gwu edu> jehanny () gwu edu

 <mailto:appsec () gwu edu> appsec () gwu edu



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Jalso
Sent: Thursday, November 12, 2009 4:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: scanning of web applications



We're developing a process to scan in-house developed web based
applications.  The tool we're using is IBM's AppScan standard edition.  I
was wondering if anyone else has started or completed such an initiative?
If so, what were the deliverables of the project and what were the results?
Thanks.





Alex Jalso, PMP

Senior Project Manager

Office of Information Security

West Virginia University

phone: 304-293-4457