!

Enterprise Web Infrastructure: Using Pitt SecureWeb

Before a University Web site can be published it must be scanned for vulnerabilities and other security issues. This document explains how you can use Pitt SecureWeb, the University’s solution to provision security scans for Web sites. Any Web browser running Adobe Flash can use Pitt SecureWeb.

Please allow five (5) business days for scan results.

Note: Scan requests will not be processed during University Holidays.

Getting Started

To get started Using Pitt SecureWeb:

  1. Create a new development Web site.
  2. Fill out an online form to provision a site project in Pitt SecureWeb.
    Note: A development (or staging) version and a production version of your site are always provisioned together as part of the creation process for a project.

    You will receive email notification when your project has been provisioned and is ready to be scanned.


  3. Login to the secure Web portal at http://secureweb.pitt.edu and request a scan for your project.

This provisioning process only needs to be carried out one time for a project; however, for each development (staging) and production Web site pair, you will need to carry out these steps again to create a new project. Returning users can access Pitt SecureWeb any time to request new scans, audit scan results, and resubmit project sites for additional scanning.


Request a Scan

When you request a scan make sure that you have the URL of the site that you wish to scan and the user level credentials (not the administrative login credentials) for the username (called ‘Site Login’ here) and password (‘Site Passcode’).

  1. Login at http://secureweb.pitt.edu.
  2. From the Dashboard, click the Projects tab on the menu ribbon. A list of your Project sites will appear on the left-hand side of the dashboard.

    Pitt SecureWeb Screenshot 1

    Note: Sites contained in WebScan are organized into projects.
  3. Select your Project version site [either Prod or Stage] from the list on the left-hand side of the Projects window.

    Note: You may need to expand the list first by clicking on the triangle to the left of the Project Name.

    Pitt SecureWeb Screenshot 2
  4. Click View Details (located above the list of projects and versions).

    Pitt SecureWeb Screenshot 3
     
  5. From the Issues tab, click Dynamic Scan Request and then select ‘+ Create’ from the drop-down list.

    Pitt SecureWeb Screenshot 4
  6. On the Dynamic Scan Request form that appears, enter the following information:
     
    • URL: The Web address (URL) of the site that will be scanned.
    • Username: This is the username for a test Web site user-level account, not the administrative login credentials.
    • Password: and Re-type Password: This is the password for a test Web site user-level account, not the administrative login credentials. Enter this information in both fields.
       
    Pitt SecureWeb Screenshot 5
     
  7. Click Submit.

Audit Scan Results

Once your site has been scanned, you will receive an email that the results are available. You can then review any outstanding issues that a report has returned, fix these issues, and resubmit the entire site to be scanned again.

Note: Several issue categories exist. Critical- and High-level issues that are listed must be reviewed and remediated.

To audit your scan results:

  1. Under the Projects tab, select your project version [either Prod or Stage] and click the Audit Issues button (located above the list of projects and versions).

    Note: You may need to expand the list first by clicking on the triangle to the left of the Project Name.

    Pitt SecureWeb Screenshot 6
  2. Issues are broken down into severity and category. To select an issue:
     
    1. Click one of the severity tabs on the left-hand side of the dashboard (Critical, High, Medium, Low, and All).
      Note: The left-hand side of the Audit window also contains optional sorting and filtering options for displaying issues.
    2. Click an individual issue on the right-hand side of the dashboard to highlight it.
    3. Click View Details in the right-hand side window panel.
       
    Pitt SecureWeb Screenshot 7
  3. Expand the lower right-hand side window pane, then click on the tabs to review any additional information specific to the issue such as its Details, Recommendations, History, Steps (to reproduce), and Screenshots.

    Pitt SecureWeb Screenshot 8
  4. Apply the required procedural fix to the issue or vulnerability. If your department or unit has certain procedures that you follow, implement them here too.
  5. In the lower left-hand side panel, select the option from the drop-down list for each Critical or High vulnerability that indicates the status for each issue:
    • Requires Remediation (default) - This issue represents a serious vulnerability and should be addressed with urgency.
    • Issue Resolved – The reported issue has been resolved.
    • False Positive - The reported issue is clearly not vulnerable in any situation and we can safely ignore it.
       
    Pitt SecureWeb Screenshot 9
  6. Enter any additional comment in the field provided, then click Add Comment.
  7. When you are finished, click the Up arrow or the Issue List link in the upper left-hand side of the details panel.

    Pitt SecureWeb Screenshot 10

Repeat steps 2 through 7 until you have reviewed all the Critical- and High-level issues. To resubmit the site for additional scanning, go to the next section of this document.


Resubmit Site for Additional Scanning

Once you have remediated any Critical- or High-level issues for your site you can resubmit the site for a new SecureWeb scan using the following instructions:

  1. From the Projects section, select a production or development (staging) site from the list on the left-hand side of the dashboard on the Projects tab.
  2. Click View Details.
  3. From the Issues tab, click Dynamic Scan Request.
  4. Select ‘+ Create’ from the drop-down list.
  5. On the form that appears, verify the information populated from the previous scan:
    • URL: the Web address (URL) of the site that will be scanned.
    • Username: This is the username for a test Web site user-level account, not the administrative login credentials.
    • Password: and Re-type Password: This is the password for a test Web site user-level account, not the administrative login credentials. Enter this information in both fields.
  6. Click Submit.

Frequently Asked Questions

What user ID and password do I use when completing the Dynamic Scan Request Form?

Use a test user account with normal, non-administrative privileges.

How do I get access to the SecureWeb service?

  • If you are the Web site owner or technical contact for a new Web site: Please complete the SecureWeb Site Enrollment Form.
  • If this is an existing project in SecureWeb: Have the Web site owner or Web site technical contact submit a Help Desk request to have your University of Pittsburgh Computing Account (UCA) added to the project in SecureWeb.

How can I get additional users added to a project in SecureWeb?

To submit your SecureWeb request for additional users, contact the Technology Help Desk at 412 624-HELP [4357] or submit your request online. A help ticket will be created for your request.