Project: Vulnerability management and web application scanning

Primary UITS contact: Jason Abels

Last update: October 3, 2014

Description: Indiana University increasingly relies on web applications and non-web services to interface with critical business data, as well as confidential customer information such as credit card and protected health care data. With so much information and activity online, we offer web and non-web vulnerability scanning services that functional units can use to accurately assess our exposure to attacks.

We currently use two IBM products: AppScan for web applications, and Enterprise Scanner for non-web services. Enterprise Scanner was abandoned by IBM in favor of an agent-based solution that caters to corporate environments. It has a greater cost and requires installing an agent on every machine we want to scan. Our AppScan license does not allow us to perform enough scans in parallel to keep up with demand, and while we could purchase an upgraded license from IBM, a more strategic approach would be to pursue a solution that addresses both our web and non-web needs.

Outcome: Purchase and deploy replacement scanning product.

Milestones and status:

  • May 29, 2013: Scanner replacement demo started
  • August 17, 2013: Quotes requested from two finalists
  • October 1, 2013: Final product chosen
  • October 13, 2013: Quote received from Qualys
  • August 16, 2014: Final proposal submission
  • October 1, 2014: Purchase completed
  • October 6, 2014: Beta phase started

Comment process: After a careful evaluation process, it was determined that only one product could fully meet the requirements of the project; a full RFP process was skipped in favor of a technical evaluation.

Benefits: Reducing our attack surface area by ensuring correctly configured servers and more robust scanning of web services.

Client impact: Clients will experience major changes in the way they interact with Vulnerability Management. Supplemental free training is offered by Qualys.

Project team:
Jason Abels
Jeremy Geib

Governance:
Tom Davis
Andrew Korty

This is document bfbg in the Knowledge Base.
Last modified on 2016-07-15 16:20:38.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.