WebInspect Scanning Service

OIT Information Security offers WebInspect Web application vulnerability scans as a service to University IT professionals involved in the creation, deployment and/or maintenance of Web applications.

What is WebInspect?

WebInspect is a Web application vulnerability assessment tool. It analyzes Web applications and the servers they run on to identify potential security risks.

How do I request a WebInspect scan of my application?

The OIT's Information Security has licensed WebInspect for use in scanning any University systems. If you would like to request a WebInspect scan, please fill out the scan request form. Someone from OIT Information Security will contact you to arrange the details of the scan. We normally prefer to have a “walk-through” meeting where we review the application functionality with the developers and/or administrators prior to running the scan.

Can I run my own WebInspect scan?

Because of licensing restrictions and the technical complexity of running a scan, all scans must be run by OIT Information Security at this time.

How long will it take to run a scan?

We offer a five busines day turn-around between the time the scan details are finalized and delivery of the scan report. We make every effort to complete scans in two business days when possible. In urgent cases, we may be able to accelerate the scan timing. Complex applications may require additional planning time.

What do I need to do to prepare for a WebInspect scan?

WebInspect will crawl all links it can find in the application. This includes submitting any forms that exist. One common issue is that forms designed to send email notification to administrators will trigger many emails during a scan. We suggest either disabling this functionality or advising recipients that this will occur, before running a scan. Additionally, it is important to plan your scan in such a way that WebInspect will not harm the integrity of production data.

The scan requestor is responsible for coordinating in advance with all groups/departments that may be affected by the scan, including the system administrator(s) and database administrator(s).

WebInspect runs from a central location (webinspect.cc.nd.edu/129.74.33.156). If there are host or network firewalls protecting your application, you will need to request that this address be given access to the server prior to running your scan. Please note that because of the operating system running on the WebInspect machine, it is not possible to connect to the Cisco VPN from the WebInspect machine. If your application requires VPN access (e.g., OITES VPN), you will need to make special arrangements to allow access for the WebInspect machine.

What credentials will be required to run a scan?

You will need to provide OIT Information Security with account credentials for each “role” supported by the application. For example, if an application provides different functionality to faculty and staff members, we will need an account of each type. Similarly, if the application offers an administrator function, we will need an account with access to that role. In general, we prefer to use test accounts to minimize the likelihood of disrupting production data. 

When should I run a WebInspect scan?

We strongly encourage the use of WebInspect throughout the development cycle. Most of the overhead in creating a scan occurs during the first iteration. We can reuse scripts and macros to rescan applications at any time. 

Applications subject to OIT Change Control are scanned at a minimum of three points:

  • Prior to moving the application from development to pre-production (full assault scan)
  • Prior to moving the application from pre-production to production (full assault scan)
  • After moving the application to production (safe scan)

Additional scans are at the discretion of the developer. When planning your development project, please keep in mind that the scan may find vulnerabilities that need to be remediated before moving an application into pre-production or production. Project timetables should plan for this eventuality.