In cases where a vendor prefers not to have us do a security assessment or has had a recent security assessment done, the Information Security Office (ISO) may accept the results of third-party assessments of applications and services in lieu of conducting our own.
Note that for services and applications working with confidential (Category I) university data, if the vendor declines to have the university perform a security assessment, a third-party security assessment matching the criteria in this standard is required. "Trust us" is not an acceptable response. The ISO will sign an NDA if requested.
In order for us to accept a third party security assessment, at a minimum the following criteria must be met:
- It must be both current and relevant. The assessment may not be more than one year old and must target the most recent major release of the product/service (or the applicable version that will be provided to the university if different).
- The assessment must be performed by a qualified and experienced third party. Self-assessments performed by the vendor are not acceptable.
- The report provided to the university must be sufficiently detailed such that the thoroughness and accuracy of the assessment may be judged. At a minimum the following sections of the report must be provided: scope, methodology, and findings. These sections of the report must not be redacted.
- The scope of the assessment must consist of a substantial majority of the service or application. If the product has multiple user roles, each level of authorization should be assessed. All scans, network and application, must be credentialed.
- The methodology must include what tools and processes were used to assess the service or application. Automated scanners are acceptable, but there must also be a manual verification or testing phase to any assessment.
- Web assessments must check for the OWASP Top 10 vulnerabilities at a minimum. Automated scans of web applications should preferably be done with tools designed for that purpose (e.g., Hailstorm, AppScan, BurpSuite Pro, Acunetix, etc.).
- Network vulnerability assessments must be performed using a suitably capable and in-depth tool (e.g., Nexpose, Nessus, Saint, etc.).
- Web assessments must check for the OWASP Top 10 vulnerabilities at a minimum. Automated scans of web applications should preferably be done with tools designed for that purpose (e.g., Hailstorm, AppScan, BurpSuite Pro, Acunetix, etc.).
- If issues identified in the assessment have since been remediated, positive evidence of such remediation should be shown.
Note that these security assessments are just one component of our criteria for evaluation of any service or application. The acceptance of a third party assessment does not necessarily mean the vendor's product will be approved for purchase or use or that further scrutiny won't be required.