Web Application Security Testing Service

Web Application Security Testing at NC State

AppSec keeps you and NC State secure.

 

AppSec at NC State

Learn More

Resources

FAQ

About AppSec at NC State

Learn more about how we Test Web Application Security and how it keeps us safe.

AppSec at NC State

The OIT Information Security Services (ISS) team offers the Web Application Security Testing Service to NC State development teams. This service helps web development teams assess the security of their web applications. Our goal is to reduce security risks by empowering developers to identify and correct the most critical security issues and providing guidance regarding web application security concepts and best practices.

Don’t be confused by its many names — Vulnerability Scanning, Penetration Testing, Static Code Analysis or Dynamic Code Anaylysis. Just think of it as another way to test your application. Application should be tested early and often.

This is a best-effort offering. Ad-Hoc and Incident response scanning will be performed on an ongoing basis, as best determined by our technical staff. Requests for On Demand and Automated Integration will be discussed with the requestor to appropriately schedule and communicate with the service owners.

All scans can be requested through ServiceNow by sending a ticket to security@help.ncsu.edu

AppSec Resources

Learn more about web application security best practices and our testing methodoloty.

Testing Methodology

At NC State University, our approach to testing software for security issues is based
on the Open Web Application Security Project (OWASP) Testing Guide. We use a number of of automated tools to help us scale the process of verifying security of running web applications.

 

Secure Coding Principles

PHP specific secure coding considerations.

Frequently Asked Questions

Learn more how to get started.

Why Test Web Applications?

  • Web applications represent an ever increasing attack surface. The most common web application security issues:
    • Injection
    • Cross-Site Scripting (XSS)
    • Broken Authentication

What are the benefits of Security Testing?

  • As web applications become increasingly complex, a minor security bug application can be leveraged to negatively impact NC State. Security testing helps developers keep their web apps free from the most common security flaws before deploying them into production.

How is the Web Application Security Service supposed to work?

  • A series of automated checks is performed against a test instance of the application running in a development environment.

What is included in the service?

  • A series of automated checks is performed against a test instance of the application running in a development environment.

What will be run during these test?

  • A series of automated checks is performed against a test instance of the application running in a development environment. We have a number of automated security testing tools that we used to run a variety of scans.

How safe is the testing?

  • Due to the nature of the security testing we can’t make any garanties regarding the safety of data or the environment in which the application is running. You should be prepared to loose the data and be able to rebuild the application if necessary. That is why testing will only be performed on a test instance running in a development environment.

What does it cost to use?

  • The service is offered free of charge and on the best effort basis.

What kind of support to you offer?

  • We’ll do our best to run the scans in a timely manner and to provide remediation guidance on first come first server basis. We reserve the right to prioritize based on our assessment of risk and criticality.

How to request the service?

  • All scans can be requested through ServiceNow by sending a ticket to security@help.ncsu.edu

How long does the testing take?

  • The duration of the scan depends on the size of the application and the scope of testing. The number of checks can take up to several hours.

When should the security of web applications be tested?

  • Ideally security is considered at every stage of the application development cycle. As a rule the later security issues are identified the harder and costlier they are to address. Test early. Test often.

 
 

Back to Top