About vulnerability scanners

On this page:


Why vulnerability scanning is important

The QualysGuard vulnerability scanners (often known as "Qualys") let faculty and staff who maintain servers and websites at Indiana University discover vulnerabilities. Qualys offers a standard vulnerability scan that identifies the host operating system, running services, and open ports. Once this information has been captured, the scan engine selects the relevant vulnerability checks to perform, runs them, and interprets the results. Periodically reviewing vulnerability scan reports is required by Security of Information Technology Resources (IT-12). Qualys web application scanning is another useful option which tests web applications for a variety of vulnerabilities, such as cross-site scripting and SQL injection.

System administrators face security concerns every day. (For example: What would be the damage if someone broke into your website? Is institutional data present? Would you be liable under the law? What would happen if your website were defaced? What if it were used to distribute illegal content?) A vulnerability scan doesn't completely eliminate these risks, but it does make you aware of potential system flaws before an attacker can use them. Additionally, any action you take to increase security on your systems will improve the security of the IU network overall.

Roles and responsibilities

The University Information Security Office (UISO) runs and maintains the Qualys service for the IU community; however, the system owner is responsible for addressing the vulnerabilities identified in the scan report. If Qualys reports a vulnerability that cannot be addressed, or you have implemented compensating controls that are not reflected on the scan report, report this to the UISO at scanner-admin@iu.edu. A UISO engineer will evaluate whether the compensating control sufficiently protects against the potential vulnerability and can then remove the vulnerability from the scan report.

Additionally, the UISO scanner administrator runs a weekly automated scan of IP space for devices within the IU Data Center. IT Pros must sign up for the service to generate and receive reports based on those scans.

Important: Risks of web application vulnerability scanning

Any type of vulnerability scan carries some inherent risks, including degraded performance, unintentional denial of service, and accumulation of garbage data.

These risks are usually minimal and temporary, however, and are outweighed by the advantage of discovering weaknesses in your web application. Furthermore, anyone with access to your site can perform the same actions as the UISO scanners, and it is better that you identify vulnerabilities via a Qualys web application vulnerability scan rather than have them exploited by someone with nefarious intentions.

It is important to note that the scanner actively tries to fill out web forms and submit data so it can try to identify certain vulnerabilities, including SQL injection and cross-site scripting. When the scanner submits data in this way, it tries to make it easy for you to recognize so you can easily delete it from your database later. The entries that Qualys makes in your database will be an SQL-injected script. It is difficult to give a specific example of what the script will look like because it will vary by database, but the script will likely attempt to update a variable within the database with the Update command; for example, if the database contains the "staff" and "ID" variables, the inserted script would look similar to:


ST=U&ID=60

If SQL injection is a likely concern in your environment, UITS recommends that administrators only run web application vulnerability scans of the test/stage environment; this is up to your discretion.

If you do decide to scan a production website, be sure to notify your supervisor, colleagues, IT Pros, and anyone else who has a stake in the website or service. Since the scan may impact performance and generate unusual-looking data, users of the site may believe it's an attack and panic if not properly informed.

Learn more

  • For step-by-step instructions for accessing and using Qualys, see How to use Qualys.

If you are a web developer and you want to improve your site's security, consider the following resources:

  • Open Web Application Security Project: The Open Web Application Security Project (OWASP) contains a great deal of information preventing web vulnerabilities. Specifically, the OWASP Top Ten details the most prevalent web security issues today.
  • SANS: SANS offers several courses on web application security.
  • Web Application Security Consortium: The Web Application Security Consortium (WASC) is a trade organization that offers community forums and a library of technical information on web app vulnerabilities and how to prevent them.
  • Verify browser security: Use the Qualys BrowserCheck tool to ensure any browser used to access protected data is as secure as possible.

This is document bgzt in the Knowledge Base.
Last modified on 2023-06-27 09:57:35.