The University of Arizona

Operating System/Network Vulnerability Scanning (Qualys)

Overview   

The University Information Security Office (ISO) has launched the security review program, which includes scanning of all campus web applications and critical servers. The goal of the program is to identify vulnerabilities for correction before they can be exploited. There are several free tools available to help determine if your software needs any security updates. QualysGuard Software, is one such tool to scan for network/systems vulnerabilities. Please contact the ISO at (520) 621-UISO (8476) for assistance or if you have questions.

Free Tools   

For information on Resources and University Policy and Standards visit the UA InfoSec webpage.

What Must be Scanned? 
 
All servers and applications that are Internet facing must be scanned. This will often mean that authorized system administrators, web developers, network engineers, and security analysts will work as a team to schedule and complete the scanning. There are two separate scans that are required. 
  • First, scan all servers with Qualys. Complete instructions on server scanning are available here
  • Second, scan the applications with IBM AppScan or Qualys Web Scanner. When requesting a scan, use the description field to declare which scanner you would like to use, typically the Qualys scan is easier and takes less training.  For full instructions on web application scanning including information on pre-scan process training visit the ISO webpage
 
AppScan Support List

How Often Should Scans Be Performed? 

  1. The Web Application Security Review Procedure (IS-P802) requires annual scanning of all web applications. 
  2. The University Application Security Standard (IS-S801) requires scanning of all new or significantly modified applications before they are released to a production environment. 
  3. Web applications with any other regulatory requirements must be done in line with the regulation requirements.

​Getting Started

There are prerequisites that need to be completed before access is granted.  The individual completing the scan must first complete training which is outlined in the Web Application Security Review Procedure (IS-P802) document. Once this is complete the individual can then request access to the Site License Web Application Scanning Tool. Information about the request form is available in the Web Application Security Review Procedure (IS-P802) document.   

The ISO will contact the requestor with additional information and instructions.

Server Scanning Procedure 

The scanning tool used by the University actively probes systems for vulnerabilities, performs a multi-level scan using an extensive database of known security holes to identify common system vulnerabilities such as but not limited to those included in the CERT, CIAC and SANS advisories. To learn more and to request and account read the Server Scanning Procedure document.

All devices must have been registered in the Critical Device Registry prior to scanning for vulnerabilities. The university has a limited number of licenses, so computers entered in the Critical Device Registry are given priority for vulnerability scanning.