Re: Web vulnerability scanning of hosted environments and SAAS

[Brad Judy <brad.judy () CU EDU>]

For SaaS services, we’re most likely to contractually require them to perform periodic third-party security 
assessments. During the initial contracting phase, we may ask for a copy of the most recent third-party report (for 
high risk applications, we don’t do it for everything) and hopefully we can get them to accept contracting terms that 
allow us to perform some level of our own audits or allow us to request the results of their third-party tests on a 
recurring basis.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jared Evans <jared.evans () GALLAUDET EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, April 26, 2019 at 7:01 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Web vulnerability scanning of hosted environments and SAAS

While it's a no-brainer to run web vulnerabilities scanning against University-hosted web servers, what kind of web 
scanning policy/agreements do you have for external web servers that may be run by outside contractors (on the behalf 
of the University) inside their hosted environment and what about web-based SAAS used by a number of departments?

--
[Image removed by sender.]
Jared Evans
Information Security Officer
Gallaudet Technology Services
Gallaudet University
jared.evans () gallaudet edu<mailto:jared.evans () gallaudet edu>