ITS Application Development and Support, in conjunction with ITS Security provides a website security review service. The goal of this service offering is to help colleges and departments review website environments and applications in order to proactively make sure they are safe and secure.
A list of processes are defined below. The list is organized into layers reflecting different areas of security concerns. The processes in this list should be completed for any given website application. The results of these processes can uncover security risks and help lead to their mitigation. The results will be shared with the website owner. If security risks were discovered as part of the review process, ITS Security will follow their standard policies to remedy any of those risks. ITS Application Development and Support may aid ITS Security in the mitigation of specific types of security risks.
Network Survey
A network survey will be conducted to identify the network location and presence of any web-application firewalls. An automated port scan will be conducted to evaluate how a server and its application can be accessed. Recommendations will be made on how to resolve any issues.
Server Review
The server hosting the application will be reviewed. The review will include the server's versions and configurations of its operating system, web server, and any database server being used in conjunction with the application. Insecure versions and problems with configurations will be noted and recommendations will be made on how to resolve those issues.
Application Framework Review
An automated scan will be performed that looks for vulnerabilities associated with the programming languages and frameworks used by the application. Insecure versions will be noted and recommendations for fixes will be made.
Application Scan
An automated scan will be performed on a test instance of the application to look for vulnerabilities. A review of the scan's results will be done to identify high risk issues that need to be fixed immediately. Recommendations will be made on other issues identified.
Compliance Review
The application will be reviewed to ensure the application conforms to federally mandated Section 508 web accessibility standards and meets Web Content Accessibility Guidelines 2.0, Level AA (WCAG2/AA). If the application utilizes the UNL WDN framework, a report can be generated that evaluates compliance and adherence to other best practices. A data classification will also be performed to determine if FERPA, PII, HIPAA, or PCI data is present.
Source Code Analysis
If the application's source code is available, it will be run through analysis tools to identify any programming issues and determine code quality. Recommendations will be made to improve coding practices.
Application Manual Review
After utilizing all the processes above, a manual review will be performed to identify any issues scanners cannot find. Common areas of focus would include custom injection attacks, incorrect access control and privilege escalation techniques, data protection, file management and access, error handling and logging, and general secure coding practices. Issues will be noted, and recommendations will be made for anything found in this process.