Web Application Security Testing at NC State
AppSec keeps you and NC State secure.
About AppSec at NC State
Learn more about how we Test Web Application Security and how it keeps us safe.
AppSec at NC State
The OIT Information Security Services (ISS) team offers the Web Application Security Testing Service to NC State development teams. This service helps web development teams assess the security of their web applications. Our goal is to reduce security risks by empowering developers to identify and correct the most critical security issues and by providing guidance regarding web application security concepts and best practices.
Don’t be confused by its many names — Vulnerability Scanning, Penetration Testing, Static Code Analysis or Dynamic Code Analysis. Just think of it as another way to test your application. Applications should be tested early and often.
This service is a best-effort offering. Ad-Hoc and Incident response scanning will be performed on an ongoing basis, as determined by our technical staff. Requests for On Demand and Automated Integration will be discussed with the requestor to appropriately schedule and communicate with the service owners.
All scans can be requested through ServiceNow by sending a ticket to firstname.lastname@example.org. Be sure to include the URL of the test instance of the application.
Learn more about web application security best practices and our testing methodology.
At NC State University, our approach to testing software for security issues is based
on the Open Web Application Security Project (OWASP) Testing Guide. We use a number of automated tools to help us scale the process of verifying the security of running web applications.
Secure Coding Principles
PHP specific secure coding considerations.
Frequently Asked Questions
Learn more how to get started.
Why Test Web Applications?
- Web applications represent an ever increasing attack surface. The most common web application security issues:
- Cross-Site Scripting (XSS)
- Broken Authentication
What are the benefits of Security Testing?
- As web applications become increasingly complex, a minor security bug application can be leveraged to negatively impact NC State. Security testing helps developers keep their web apps free from the most common security flaws before deploying them into production.
How is the Web Application Security Testing Service supposed to work?
- First, web application developer deploys a test instance of the application and submits a request to ISS. Next, ISS performs the test and analyses the results. Finally, developer is provided with a detailed report that includes findings, remediation steps and recommendations. Optionally, a validation test can be requested after necessary changes are implemented.
What is included in the service?
- ISS will review the application functionality, perform a Dynamic Application Security Testing and analyse the results of the test. Upon completion the web application developer will be provided the detailed report including remediation guidance and recommendations.
What will be run during these test?
- A series of automated checks is performed against a test instance of the application running in a development environment. ISS has a number of automated security testing tools that can be used to run a variety of scans.
How safe is the testing?
- Due to the nature of the security testing ISS can’t make any guarantees regarding the safety of data or the environment in which the application is running. You should be prepared to lose the data and be able to rebuild the application if necessary. That is why testing will only be performed on a test instance running in a development environment.
What does it cost to use?
- The service is offered free of charge and on a best effort basis.
What kind of support do you offer?
- We’ll do our best to run the scans in a timely manner and to provide remediation guidance on a first come, first served basis. ISS reserves the right to prioritize based on our assessment of risk and criticality.
How to request the service?
- All scans can be requested through ServiceNow by sending a ticket to email@example.com
How long does the testing take?
- The duration of the scan depends on the size of the application and the scope of testing. The number of checks can take up to several hours.
When should the security of web applications be tested?
- Ideally security is considered at every stage of the application development cycle. As a rule, the later security issues are identified the harder and costlier they are to address. Test early. Test often.