To cope with the Policy on Minimum Security Standard for Web Applications, ITSC has set up a Web Application Vulnerability Assessment service for departments. This service is especially useful for colleagues during the development cycle or the testing of open-source application and third-party developed applications. The assessment will act as a hacker to exploit the possible security vulnerabilities on your application and then hack into it by using some popular hacking skills such as cross-site scripting and SQL injection as listed in the Open Web Application Security Project (OWASP) Top Ten, etc. Then, a comprehensive assessment report will be produced for you with suggestions of how to fix the vulnerabilities. If you want to get a sample report, please click here.
The web application must pass this web application vulnerability assessment before production launch or after any major changes on the application. The assessment is successful only if NO critical vulnerabilities can be found in the assessment.
The duration of the assessment depends on different factors:
structure and complexity of the application,
performance of the web server to be scanned,
number of user roles in the application, the maximum scanning windows for each user role is 7 days.
etc.
Please note that if there are multiple user roles in the application, the scan tasks are unable to conduct concurrently since it usually affects the performance of your web server to be scanned.
If any critical vulnerability is found in an assessment, the vulnerability has to be fixed and schedule for reassessment until no critical vulnerability can be found in the assessment.
2. Preparation for the assessment
The scanners for web application assessment will attack your application which could damage the files and/or database of the application. So please ensure the following before the scan task can be started:
Prepare a testing / development environment with few testing data for assessment use.
Reserve enough time for the assessment especially there are multiple user roles involved in the application.
Backup all the data and source code before the scan, and make sure that the backup can be restored properly if necessary.
DO NOT use production / real data especially real-email address(es) since the scan task could trigger to send out the emails.