Educause Security Discussion mailing list archives
Re: Web vulnerability scanning of hosted environments and SAAS
From: Brad Judy <brad.judy () CU EDU>
Date: Fri, 26 Apr 2019 14:46:56 +0000
For SaaS services, we’re most likely to contractually require them to perform periodic third-party security assessments. During the initial contracting phase, we may ask for a copy of the most recent third-party report (for high risk applications, we don’t do it for everything) and hopefully we can get them to accept contracting terms that allow us to perform some level of our own audits or allow us to request the results of their third-party tests on a recurring basis. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jared Evans <jared.evans () GALLAUDET EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Friday, April 26, 2019 at 7:01 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Web vulnerability scanning of hosted environments and SAAS While it's a no-brainer to run web vulnerabilities scanning against University-hosted web servers, what kind of web scanning policy/agreements do you have for external web servers that may be run by outside contractors (on the behalf of the University) inside their hosted environment and what about web-based SAAS used by a number of departments? -- [Image removed by sender.] Jared Evans Information Security Officer Gallaudet Technology Services Gallaudet University jared.evans () gallaudet edu<mailto:jared.evans () gallaudet edu>
Current thread:
- Web vulnerability scanning of hosted environments and SAAS Jared Evans (Apr 26)
- Re: Web vulnerability scanning of hosted environments and SAAS Brad Judy (Apr 26)