it.ucsf.edu

Netsparker

Netsparker is a web application vulnerability scanner, which is able to find web application vulnerabilities such as SQL injection, and cross-site scriping (XSS) within a web application. 

How to get started:

ITS Security and Policy can scan your web server for web application vulnerabilities.  When the scan is complete, we will provide you with a report detailing the vulnerabilities found during the scan, their relative security severity, as well as detailed remediation report that will help you remove the vulnerabilities.

Due to the intensive and comprehensive methods employed by the scanner, there is a risk that your web server may be adversely affected in performance, or that back-end data may be altered (which is exactly what a hacker will try to exploit - better that you find it before they do!). In most cases back-end data will only be altered if the server is vulnerable.

As such, scans should be run against staging sites first whenever possible to ensure no adverse impact. If this is not possible, you should run backups/VM snapshots prior to the scan.

What we need from you:

  1. The URL or IP address of the web server you would like us to scan.
  2. Technical contact for the server.
  3. A read-only username and password to web applications (if applicable). This information should be communicated over the telephone rather than email.
  4. Network access to the site (i.e. appropriate firewall rule to allow traffic from our scanner, 64.54.136.144, eis-webscan.ucsf.edu).
  5. Disable endpoint protection software that may interfere with the scan (i.e. intrusion prevention software, host-based firewall).
  6. Authorization for ITS Security and Policy to scan the web server.
  7. Time frame for us to perform the scan (scheduled scan).

What to expect:

Once we have all the information we need, we will coordinate with you to schedule a window during which we will run the scan.

Depending on the complexity of your web server, the scan will take less than an hour and up to 8 hours to complete. When the scan has completed, we will securely email the report to you.

How do I get started?

Contact the Service Desk at 415-514-4100, and submit a request, or email security@ucsf.edu.