ARCHIVED: Project: Vulnerability management and web application scanning

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Primary UITS contact: Jason Abels

Last update: October 3, 2014

Description: Indiana University increasingly relies on web applications and non-web services to interface with critical business data, as well as confidential customer information such as credit card and protected health care data. With so much information and activity online, we offer web and non-web vulnerability scanning services that functional units can use to accurately assess our exposure to attacks.

We currently use two IBM products: AppScan for web applications, and Enterprise Scanner for non-web services. Enterprise Scanner was abandoned by IBM in favor of an agent-based solution that caters to corporate environments. It has a greater cost and requires installing an agent on every machine we want to scan. Our AppScan license does not allow us to perform enough scans in parallel to keep up with demand, and while we could purchase an upgraded license from IBM, a more strategic approach would be to pursue a solution that addresses both our web and non-web needs.

Outcome: Purchase and deploy replacement scanning product.

Milestones and status:

  • May 29, 2013: Scanner replacement demo started
  • August 17, 2013: Quotes requested from two finalists
  • October 1, 2013: Final product chosen
  • October 13, 2013: Quote received from Qualys
  • August 16, 2014: Final proposal submission
  • October 1, 2014: Purchase completed
  • October 6, 2014: Beta phase started

Comment process: After a careful evaluation process, it was determined that only one product could fully meet the requirements of the project; a full RFP process was skipped in favor of a technical evaluation.

Benefits: Reducing our attack surface area by ensuring correctly configured servers and more robust scanning of web services.

Client impact: Clients will experience major changes in the way they interact with Vulnerability Management. Supplemental free training is offered by Qualys.

Project team:
Jason Abels
Jeremy Geib

Governance:
Tom Davis
Andrew Korty

This is document bfbg in the Knowledge Base.
Last modified on 2018-01-18 17:13:04.