Table of Contents

Overview

An Application Security Assessment evaluates the resistance of an application to known security threats. The Information Security Office (ISO) employs a collection of commercial and open-source tools, combined with manual testing to perform this assessment. This assessment analyzes all components of an application infrastructure including how each component is deployed and how each component communicates with both the client and server environments. 

The overall process is as follows:

  1. The requestor submits an application assessment request form
  2. The ISO follows up with clarifying questions as needed.
  3. Once the requestor has provided all necessary information, the ISO begins the assessment, and notifies the requestor and involved parties (vendor, primary UT contact, etc.). The turnaround time is generally 10 business days, though this may vary depending on the size and complexity of the application.
  4. The ISO creates a draft report. If the requestor asks for a formal report, it undergoes peer review.
  5. The ISO submits the report to the requestor and any additional contacts. 
  6. The requestor begins remediations as needed.
  7. Depending on the findings, the ISO may conduct a follow-up assessment to verify remediations were successful.

Requirements

The ISO needs certain information to begin an application assessment. To prevent delays in turnaround time, please have the following information ready before submitting an application assessment request form.
 
  1. The app name.
  2. The number of end users impacted.Knowing the size of the user base helps us determine priority as well as what kinds of threats to model.
  3. A description of how the app will be used on campus. This will help the ISO get up to speed on your application's functionality.
  4. The worst thing you can imagine an attacker doing with your app. This will help the ISO more quickly identify attack scenarios to test on your app, and come up with other scenarios.
  5. The data classification. Note that the ISO doesn't need to assess applications that only process Published or Controlled data. If your application does not process or store any Confidential data, you may still request an assessment, but the ISO may decline.
  6. Whether the app is hosted locally on campus. This decides whether there are any vendor contacts involved. If so, you'll need to either convince your vendor to provide the ISO with a qualified third-party assessment, or get permission from your vendor for the ISO to assess their app. You'll then need to coordinate with the vendor to provide the ISO with test credentials and a test environment as needed. Finally, you'll need to provide the ISO with the vendor's company name and a vendor contact.
  7. Whether the app allows login via UT EID. This decides whether you should provide the ISO with credentials specific to the app, or grant access and permissions to ISO test EIDs.
  8. Whether the app is a mobile app. There are special considerations for mobile apps. If the ISO lacks the appropriate information and access at the time of the assessment request, significant delays can occur in turnaround time. See Mobile Apps, below.
  9. The primary technical contact. This is the main UT contact for the ISO to coordinate with in the assessment. This will typically be the lead developer or systems administrator responsible for the application.
  10. Documentation and source code for the app. The more you can provide here, the more thorough an assessment the ISO can provide you.
  11. Blacklist. The ISO needs to know what parts of the app, if any, are off-limits for automated testing.
  12. Proposed start and end times. This can be any period that affords the ISO the necessary time to complete the assessment. By default, this is 10 business days.
  13. Notes. Any other considerations not covered above.

Mobile Assessments

Mobile apps require more setup than web apps, as they require the ISO to configure mobile devices to test. As such, the ISO needs the following information to prevent delays in turnaround time:
 
  1. Minimum compatible OS(es). The ISO needs to know in advance whether their current mobile devices are ready for testing your app, if they need to reconfigure their existing devices, or if they must requisition new devices to support the latest operating systems. Please specify if the app is tablet-only. 
  2. Information sent or stored by third parties. This will aid the ISO in focusing their testing efforts. 
  3. Information stored locally. Different techniques and tools are needed for auditing data stored locally vs. on the cloud. 
  4. Be able to provide the ISO with the app. Assign the ISO the app via TestFlight (iOS), or provide a download of the APK for Android or the .app file for iOS. 
  5. API endpoints. If the app has API endpoints, provide them to ensure a thorough assessment.