University of Wisconsin–Madison

Vulnerability Scanning

What is Vulnerability Scanning? Vulnerability scanning is an automated process of identifying security vulnerabilities (weaknesses) of computing systems such as web applications and servers. UW-Madison Office of Cybersecurity offers vulnerability scanning service and will work with you to secure your applications and servers.

A Host-based Vulnerability Scanner is used to proactively identify and address security vulnerabilities by scanning the hosts in our network based on known flaws. Findings are displayed in reports that departments can use to tighten the security for those assets.

A Web Application Vulnerability Scanner is used to identify known security vulnerabilities of web applications such as cross-site scripting, SQL injection, etc. and generate reports of findings that developers can use to tighten the security for the web applications in our network.

Getting Started

Email cybersecurity@cio.wisc.edu to request a scan!

But, before we scan, we need to gather some information about the test application and its environment, as well as ensuring readiness, safeties, and set expectations.

For a Host-based Vulnerability scan:

  1. What IP addresses or range will need to be scanned?
  2. Are you authorized to order a scan for all assets in the address or ranges provided?
    1. If you are not, then obtain and list authorizations or prune your asset list as needed.
  3. Are there any other network devices on the network, excluding servers, workstations and network equipment? Common examples are printers, VoIP phones, or wireless access points.
  4. Do you have a firewall between your network and campus network? If so, you will need to make arrangements to make sure our scans can pass through the firewall.

For a Web Application Vulnerability scan:

  1. Please provide a description of what the application does.
  2. What OS, software products, application servers, and/or database are used?
  3. What server names (or specific pages, paths, or URIs, if applicable) should be included in the scope of this vulnerability scan?
  4. Please list all assets that the application uses or accesses (e.g. servers, databases, external applications, authentication mechanisms, APIs, etc.):
    1. Are there production servers or databases included in this application’s test instance? If so, list them here:
    2. Are you the steward for all the assets and/or services used in the application test instance?
  5. If the application vulnerability scan causes an adverse impact on the instance provided for testing (including servers, databases, and/or applications), are you OK with that?
    1. If you answered no for item 4)b, show approval by asset or service stewards:
  6. Do the servers, applications, or databases involved in this evaluation use any live or production data?
    1. If so, is there any sensitive or protected data in play? (FERPA data, PII, SSN, payment card, HIPAA, etc.)
    2. If any of the data is lost or overwritten during the scan, is that a concern?
  7. Is it acceptable to do application scanning while other users test this system, or will we need a scan window?
  8. Is the test instance backed up such that we can request a recovery if needed?
  9. Is this application authenticated?
    1. If so, what facility used for authentication?
    2. If so, what levels of privilege exist in this application? We will request, at a minimum, User level application access. Admin level access will be requested to test privilege escalation vulnerabilities if available.
  10. Is there any other information you think we need to know about before we commence testing?

Self-Service Vulnerability Scanning Tools

The Office of Cybersecurity also provides self-service option! If you prefer scanning on your own, the following tools are available for self-service vulnerability scanning:

  • Qualys Vulnerability Management (VM) – Qualys VM runs various tests to determine whether any of the open ports or services on a target server are vulnerable to known exploits. It provides external, internal, and authenticated scans.
  • Qualys Web Application Scanning (WAS) – Qualys WAS is a web-based vulnerability scanning tool that allows you to perform dynamic web application vulnerability scans.
  • Qualys Cloud Agent – Qualys Cloud Agent is a small program installed on a host and provides real-time vulnerability information sent back to Qualys Enterprise Suite Cloud Platform. It collects data to identify vulnerabilities including missed patches and vulnerable configurations.

Email cybersecurity@cio.wisc.edu to request a Qualys account!

Qualys VM/WAS Self-Paced Online Training

Qualys Self-Paced training covers the same objectives from the in-person training. Students will be provided with a demo account for hands-on exercise. This training is offered at no cost. Each training takes approximately 8 hours.

Other helpful Knowledgebase articles:

Any questions? Feel free to email cybersecurity@cio.wisc.edu.