Table of Contents
Overview
An Application Security Assessment evaluates the resistance of an application to known security threats. The Information Security Office (ISO) employs a collection of commercial and open-source tools, combined with manual testing to perform this assessment. This assessment analyzes all components of an application infrastructure including how each component is deployed and how each component communicates with both the client and server environments.
The overall process is as follows:
- The requestor submits an application assessment request form.
- The ISO follows up with clarifying questions as needed.
- Once the requestor has provided all necessary information, the ISO will determine if the application requires an automated scan (our default method), or a manual assessment (typically used when the application contains high value data). The turnaround time is generally a few hours for automated scanning, and 10 business days if the application requires manual testing, though this may vary depending on the size and complexity of the application.
- If a manual assessment is performed, the ISO creates a draft report. That report then undergoes a peer review.
- The ISO submits the report to the requestor and any additional contacts. If automated scanning was performed, a copy of the scan results is sent instead of a formal report.
- The requestor begins remediations as needed.
- Depending on the findings, the ISO may conduct a follow-up assessment to verify remediations were successful.
Requirements
The ISO needs certain information to begin an application assessment. To prevent delays in turnaround time, please have the following information ready before submitting an application assessment request form.
- The app name.
- The application must be present in Isora. The application assessment request form will not allow you to submit a request for an application that is unlisted.
- A description of how the app will be used on campus. This will help the ISO get up to speed on your application's functionality.
- The data classification. Note that the ISO doesn't need to assess applications that only process Published or Controlled data. If your application does not process or store any Confidential data, you may still request an assessment, but the ISO may decline.
- Whether the app is hosted locally on campus. This decides whether there are any vendor contacts involved. If so, you'll need to either convince your vendor to provide the ISO with a qualified third-party assessment, or get permission from your vendor for the ISO to assess their app. You'll then need to coordinate with the vendor to provide the ISO with test credentials and a test environment as needed. Finally, you'll need to provide the ISO with the vendor's company name and a vendor contact.
- Whether the app allows login via UT EID. This decides whether you should provide the ISO with credentials specific to the app, or grant access and permissions to ISO test EIDs. Currently, applications that do not support campus SSO will require manual testing.
- Opting out of automated scanning. If there are parts of your application that you do not want an automated scanner to test, please email security@utexas.edu and request a manual assessment of your application.