Scanning Your Website Using Pitt SecureWeb

Overview

Before a University website can be published it must be scanned for vulnerabilities and other security issues. This document explains how you can use Pitt SecureWeb, the University’s solution to provision security scans for websites. Any web browser running Adobe Flash can use Pitt SecureWeb.

Please allow five (5) business days for scan results.

Note: Scan requests will not be processed during University holidays.

 

Detail

Getting Started

To get started Using Pitt SecureWeb:

  1. Create a new development website.

  2. Fill out an online form to provision a site project in Pitt SecureWeb.
    Note: A development (or staging) version and a production version of your site are always provisioned together as part of the creation process for a project.

    You will receive email notification when your project has been provisioned and is ready to be scanned.

  3. Log in to the secure web portal at secureweb.pitt.edu and request a scan for your project.

This provisioning process only needs to be carried out one time for a project. However, for each development (staging) and production website pair, you will need to carry out these steps again to create a new project. Returning users can access Pitt SecureWeb any time to request new scans, audit scan results, and resubmit project sites for additional scanning.

Note: You must be on Pittnet to request a scan.  This includes Pittnet VPN if not on premise. Please see: Getting, Setting Up, and Connecting With PittNet VPN (GlobalProtect)

Request a Scan

When you request a scan you will need the URL of the site to be scanned and the user level credentials (not the administrative login credentials). You will need them for the username (called Site Login here) and password (Site Passcode).

  1. Log in at secureweb.pitt.edu.
  2. From the Dashboard, click the Projects tab on the menu ribbon. A list of your Project sites will appear on the left-hand side of the dashboard.

    Pitt SecureWeb Screenshot 1

    Note: Sites contained in WebScan are organized into projects.
  3. Select your Project version site (either Prod or Stage) from the list on the left-hand side of the Projects window.

    Note: You may need to expand the list first by clicking on the triangle to the left of the Project Name.

    Pitt SecureWeb Screenshot 2
  4. Click View Details (located above the list of projects and versions).

    Pitt SecureWeb Screenshot 3
     
  5. From the Issues tab, click Dynamic Scan Request and then select + Create from the drop-down menu.

    Pitt SecureWeb Screenshot 4
  6. On the Dynamic Scan Request form that appears, enter the following information:
     
    • URL: The web address (URL) of the site that will be scanned.
    • Username: This is the username for a test website user-level account, not the administrative login credentials.
    • Password: and Re-type Password: This is the password for a test website user-level account, not the administrative login credentials. Enter this information in both fields.
       
    Pitt SecureWeb Screenshot 5
     
  7. Click Submit.

Audit Scan Results

Once your site has been scanned, you will receive an email that the results are available. You can then review any outstanding issues that a report has returned, fix these issues, and resubmit the entire site to be scanned again.

Note: Several issue categories exist. Critical- and High-level issues that are listed must be reviewed and remediated.

To audit your scan results:

  1. Under the Projects tab, select your project version (either Prod or Stage) and click the Audit Issues button (located above the list of projects and versions).

    Note: You may need to expand the list first by clicking on the triangle to the left of the Project Name.

    Pitt SecureWeb Screenshot 6
  2. Issues are broken down into severity and category. To select an issue:
     
    1. Click one of the severity tabs on the left-hand side of the dashboard (Critical, High, Medium, Low, and All).
      Note: The left-hand side of the Audit window also contains optional sorting and filtering options for displaying issues.
    2. Click an individual issue on the right-hand side of the dashboard to highlight it.
    3. Click View Details in the right-hand side window panel.
       
    Pitt SecureWeb Screenshot 7
  3. Expand the lower right-hand side window pane. Then click on the tabs to review any additional information specific to the issue such as its DetailsRecommendationsHistorySteps (to reproduce), and Screenshots.

    Pitt SecureWeb Screenshot 8
  4. Apply the required procedural fix to the issue or vulnerability. If your department or unit has certain procedures that you follow, implement them here too.
  5. In the lower left-hand side panel, select the option from the drop-down menu for each Critical or High vulnerability that indicates the status for each issue:
    • Requires Remediation (default) - This issue represents a serious vulnerability and should be addressed with urgency.
    • Issue Resolved – The reported issue has been resolved.
    • False Positive - The reported issue is clearly not vulnerable in any situation and we can safely ignore it.
       
    Pitt SecureWeb Screenshot 9
  6. Enter any additional comment in the field provided, then click Add Comment.
  7. When you are finished, click the Up arrow or the Issue List link in the upper left-hand side of the details panel.

    Pitt SecureWeb Screenshot 10

Repeat steps 2 through 7 until you have reviewed all the Critical- and High-level issues. To resubmit the site for additional scanning, go to the next section of this document.

Resubmit Site for Additional Scanning

Once you have remediated any Critical- or High-level issues for your site you can resubmit the site for a new SecureWeb scan using the following instructions:

  1. From the Projects section, select a production or development (staging) site from the list on the left-hand side of the dashboard on the Projects tab.
  2. Click View Details.
  3. From the Issues tab, click Dynamic Scan Request.
  4. Select + Create from the drop-down menu.
  5. On the form that appears, verify the information populated from the previous scan:
    • URL: The web address (URL) of the site that will be scanned.
    • Username: This is the username for a test website user-level account, not the administrative login credentials.
    • Password: and Re-type Password: This is the password for a test website user-level account, not the administrative login credentials. Enter this information in both fields.
  6. Click Submit.

Frequently Asked Questions

What user ID and password do I use when completing the Dynamic Scan Request Form?

Use a test user account with normal, non-administrative privileges.

How do I get access to the SecureWeb service?

  • If you are the website owner or technical contact for a new website: Please complete the SecureWeb Site Enrollment Form.
  • If this is an existing project in SecureWeb: Have the website owner or website technical contact submit a help request to have your University of Pittsburgh Computing Account (UCA) added to the project in SecureWeb.

How can I get additional users added to a project in SecureWeb?

To submit your SecureWeb request for additional users, contact the Technology Help Desk at 412-624-HELP (4357) or submit your request online. A case will be created for your request.

 

Request Help

Details

Article ID: 185
Created
Fri 7/28/23 11:51 AM
Modified
Fri 3/8/24 12:30 PM

Related Articles (2)

Getting Started with Enterprise Web Infrastructure (EWI)
General information regarding Enterprise Web Infrastructure
Understanding the Importance of Vulnerability Assessments
As our technology environment becomes more complex and related security threats increase, every University unit needs to use available tools and services to protect University information and resources.

Related Services / Offerings (1)

Security Vulnerability Assessment
SECURITY CONSULTING AND EDUCATION A web vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a web site or web application.