Main Nav

Hello All,


A few questions related to application vulnerability scanning and management:


·         Do you have a program to ensure that applications are tested for vulnerabilities?

o   Is it embedded in the application QA or release process, or is scanning done once the app is in prod (or both)?

o   Who runs the tests?  (Developers?  QA?  InfoSec personnel?  Other?)

·         What tool do you use for static cost testing?

·         What tool do you use for dynamic code testing?

o   Do you credentialed scans or anonymous only?


This question was cross posted to educause and Ren-Isac.  I will post some de-identified statistical results back to both lists.


Thanks all!
Quinn R Shamblin
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523