The West Virginia Office of Technology (WVOT) Quality Assurance (QA) Team is now offering Web Application Assessments. The Web Application assessment investigates a web application for vulnerabilities, configurations, and other issues that could pose security risks to applications.
The Web Application Assessment Process
The Web Application Assessment entails a three step process:
- Once the request is received, a Quality Assurance Analyst will be in touch to discuss details of your website. Requests are handled in the order they are received and an analyst will typically be in touch within 1-2 business days. The analyst will speak with the site administrator and developer to become more familiar with the application and the environment. Safeguards, such as backups, assessing a development/acceptance server, and assessing during off-peak hours, are also discussed to ensure that recovery can be performed in the event of a problem. The customer will need to sign the rules of engagement before proceeding.
- The assessment will be performed at a predetermined time as agreed upon by the customer. The assessment is made up of automated scanning, along with manual scanning to discover parts of the application that are missed and to verify false positives found by the automated process. To the web application, manual testing is typically similar to a regular user browsing/using the application. On the other hand, automated scanning is typically a rapid fire scan of the site and can cause additional load on the website. Depending on site size, the assessment process can take several days.
- Results of the assessment are provided to the customer point of contact. These results include an executive summary report and the detailed results of the automated scan. The executive summary report provides a high level overview of the severity of the issues that were identified. The detailed report is typically much longer and discusses the issues with the site, where they are found, and steps for remediation. After the assessment is finished and the issues are remediated, subsequent scans can be requested in order to assure that the problems have been fixed, and that no new vulnerabilities were introduced during the remediation activities.
Web Application Assessment Goals
The goal of these assessments is to provide information about the security of a website, to inform customers about the consequences of web application weaknesses, and to raise awareness about web application security. As with most technology, web applications are evolving targets and require persistent testing and assessment.
Please contact the WVOT if you would like to request additional information or read our FAQs.