Scanning Your Website Using Pitt SecureWeb

Overview

Before a University website can be published it must be scanned for vulnerabilities and other security issues. This document explains how you can use Pitt SecureWeb, the University’s solution to provision security scans for websites. Any web browser running Adobe Flash can use Pitt SecureWeb.

Please allow five (5) business days for scan results.

Note: Scan requests will not be processed during University holidays.

 

Detail

Getting Started

To get started Using Pitt SecureWeb:

  1. Create a new development website.

  2. Fill out an online form to provision a site project in Pitt SecureWeb.
    Note: A development (or staging) version and a production version of your site are always provisioned together as part of the creation process for a project.

    You will receive email notification when your project has been provisioned and is ready to be scanned.

This provisioning process only needs to be carried out one time for a project. However, for each development (staging) and production website pair, you will need to carry out these steps again to create a new project. Returning users can access BurpSuite any time to view and audit scan results.

Request a Scan

Prerequisites:

  • You must be owner of the site
  • Ensure that you have all necessary information about the site readily available.

  1. Access the Request Form:

    - Open your web browser and navigate to: https://pi.tt/secureweb-enroll. 

    • Owner Contact Information: 

      • Note: Make sure to modify the Callback Number if necessary.  

      • Enter Site Owner name  

      • Provide Site Owner email address. 

      • Include Site Owner phone information, both during work and after hours. 

    • Site Information: 

      • Enter the full URL of the site to be scanned. 

        • Ensure this matches the site's DNS record. 

      • For Development URL, if you are unsure what this will be, simply copy Production URL. 

      • Provide a brief description of the site. 

        • Mention any specific areas of concern or focus for the scan. 

      • Select whether the site will have payment transactions and/or sensitive data. 

    • Technical Contact  

      • Enter Technical Owner name  

      • Provide Technical Owner email address. 

      • Include Technical Owner phone information, both during work and after hours. 

    • Secondary Contact  

      • If necessary, include Secondary Contact information.  

    • Technical Information: 

      • Check off whether this site will be a database. 

      • Specify the Content Management System 

      • Include the Website Login, Username, and Password, if necessary.  

      • Select what Web Site Language the site will be using.  

    • Submitting the Form: 

      • Review all the entered information to ensure accuracy. 

      • Click the "Submit" button at the bottom of the form. 

      Confirmation and Follow-Up: 

      • After submission, you will receive a confirmation email with the details of your request including the TDX case number.  

      • A representative will contact you within 1-2 business days to discuss the next steps and any additional requirements. 

      Scan and Remediation: 

      • Once the scan is scheduled, Burp Suite Enterprise will perform the scan on your site. 

      • For further information about viewing scan results: <INSERT KB LINK HERE> 

      • You will receive a detailed report outlining any vulnerabilities or issues found. 

      • Follow the remediation instructions provided in the report to address the identified issues. 

      • If you need assistance with remediation, contact the support team as indicated in the report. 

      Contact Information: 

      • For any issues or further assistance, please reach out to the support team at [support email] or call [support phone number]

Resubmit Site for Additional Scanning

Once you have remediated any Critical- or High-level issues for your site you can resubmit the site for a new SecureWeb scan using the following instructions:

  1. From the Projects section, select a production or development (staging) site from the list on the left-hand side of the dashboard on the Projects tab.
  2. Click View Details.
  3. From the Issues tab, click Dynamic Scan Request.
  4. Select + Create from the drop-down menu.
  5. On the form that appears, verify the information populated from the previous scan:
    • URL: The web address (URL) of the site that will be scanned.
    • Username: This is the username for a test website user-level account, not the administrative login credentials.
    • Password: and Re-type Password: This is the password for a test website user-level account, not the administrative login credentials. Enter this information in both fields.
  6. Click Submit.

Frequently Asked Questions

Q1: What if I can't see my department's sites?

A: Ensure that you have the appropriate read-only access permissions. If you would like to request access, create a Help Desk ticket and specify what site you'd like Read-only access to. This will then be sent to Security to review.  

Q2: Can I generate reports from the scan results?

A: As a read-only user, you can view and export scan results but cannot generate custom reports. As a reminder, please treat Vulnerability Scan exports as highly sensitive data.  

Q3: What vulnerabilities should I remediate?

A: Security requires all "High" and "Medium" issues/vulnerabilities be remediated. 

Q4: Can I see scans from other departments?

A: No, read-only access is restricted to sites within your department only.  

Q5: How often are scans performed on my department's sites?

A: The frequency of scans is determined by your department's security policy. Check with your system administrator for specific details regarding scan schedules. 

Q6: What if I encounter issues accessing the scan results? 

A: If you experience any issues accessing the scan results, ensure you have a stable internet connection and are using a compatible web browser. If the problem persists, contact your Pitt IT Help Desk for further assistance. 

Q7: Can I filter scan results to see specific types of vulnerabilities? 

A: Yes, you can use the filtering options within the scan results tab to narrow down specific types of vulnerabilities or issues.

 

Request Help Print Article

Related Articles (2)

Getting Started with Enterprise Web Infrastructure (EWI)
General information regarding Enterprise Web Infrastructure
Understanding the Importance of Vulnerability Assessments
As our technology environment becomes more complex and related security threats increase, every University unit needs to use available tools and services to protect University information and resources.

Related Services / Offerings (1)

Security Vulnerability Assessment
SECURITY CONSULTING AND EDUCATION A web vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a web site or web application.