Server Security Review
Security reviews provide a thorough overview of the current state of an application, server, or endpoint device and its security.
All Virginia Tech servers should properly implement data security policies and standards to ensure integrity and authenticity. Compliance with these policies and standards strengthens server security by assessing control access, checking for software vulnerabilities, and assessing security countermeasures.
Server security reviews cover a multitude of important security concepts:
- Machine Documentation
- Systems inventory list
- Network map
- Firewall Verification
- Vulnerability Scanning
- Penetration Testing
- Network-based Applications
- Network traffic analysis
- Determine potential attack vectors
- Version checking
- Web-based Applications
- Injection attack testing
- Data policy compliance
- Version checking
- Local Security
- Locating sensitive data
- Physical Security
- Control access
- Data disposal procedures
- Mobile systems (e.g. laptops, PDAs)
- Special policies
- Minimize sensitive data leakage
- Use analysis
Upon requesting a security review, the IT Security Office will reach out to schedule a time to scan the applicable devices and establish the scope of the scan.
Once the scan is done, the IT Security Office will prepare a report of any and all major security issues and the full scan results.
If any security issues were found, the affected devices and applications should be quarantined until all issues are resolved.
Request a Security Review
Virginia Tech departments may request a security review of a commercial or homegrown application or server. The Virginia Tech IT Security Office is responsible for conducting security reviews, which can be requested through 4Help or by emailing email@example.com.
- Login to 4Help.
- Navigate to the Application Reviews knowledge base (KB) article.
- Click Request this service and fill out the request form.
Conducting a Security Review
Select one or more tools to evaluate the target device’s security. A. Do not select a tool that could execute damaging attacks, such as distributed denial of service attacks. Here are some popular options for vulnerability scanning: - Burp Suite - Nessus - Qualsys Web Application Scanner - Qualsys SSL Server Test - Secuiri SiteCheck - Mozilla Observatory
All of these are either free or have a free version.
Use the selected tools. Below are some informational materials for using the aforementioned vulnerability scanners.
Document and submit all vulnerability findings to the proper channels in order to get them resolved. A. List all detected vulnerabilities.
B. Confirm that the vulnerabilities are valid by reproducing them.
C. Report the vulnerabilities.
Refer back to the documented findings to verify that they’ve been resolved within the appropriate amount of time.