Scanning Your Website Using Pitt SecureWeb

Overview

Before a University website can be published it must be scanned for vulnerabilities and other security issues. This document explains how you can use Pitt SecureWeb, the University’s solution to provision security scans for websites.

Please allow five (5) business days for scan results.

Note: Scan requests will not be processed during University holidays.

Detail

Getting Started

To get started using Pitt SecureWeb:

1. Create a new development website.
2. Fill out an online form to provision a website in Pitt SecureWeb.
   Note: A development (or staging) version and a production version of your site are always provisioned together as part of the creation process for a website.
   
   You will receive email notification when your website has been provisioned and is ready to be scanned.

This provisioning process only needs to be carried out one time for a website.

Request a Scan

Prerequisites:

• You must be owner of the site.
• Ensure that you have all necessary information about the site readily available.

1. Access the Request Form: Open your web browser and navigate to the Pitt SecureWeb enrollment form (opens in a new tab).

2. Complete the Owner Contact Information section:

   • Modify the Callback Number if necessary.
   • Enter the Site Owner name.
   • Provide the Site Owner email address.
   • Include Site Owner phone information, both during work and after hours.

3. Complete the Site Information section:

   • Enter the full URL of the site to be scanned. Ensure this matches the site’s DNS record.
   • For the Development URL, if you are unsure what this will be, simply copy the Production URL.
   • Provide a brief description of the site. Mention any specific areas of concern or focus for the scan.
   • Select whether the site will have payment transactions and/or sensitive data.

4. Complete the Technical Contact section:

   • Enter the Technical Owner name.
   • Provide the Technical Owner email address.
   • Include Technical Owner phone information, both during work and after hours.

5. Complete the Secondary Contact section (if applicable):

   • Include Secondary Contact information if necessary.

6. Complete the Technical Information section:

   • Indicate whether this site will use a database.
   • Specify the Content Management System.
   • Include the Website Login, Username, and Password if necessary.
   • Select the web site language the site will be using.

7. Submit the Form:

   • Review all entered information to ensure accuracy.
   • Click the "Submit" button at the bottom of the form.

8. Confirmation and Follow-Up:

   • After submission, you will receive a confirmation email with the details of your request including the TDX case number.
   • A representative will contact you within 1–2 business days to discuss the next steps and any additional requirements.

9. Scan and Remediation:

   • Once the scan is scheduled, Burp Suite DAST will perform the scan on your site.
   • You will receive a detailed report outlining any vulnerabilities or issues found.
   • Follow the remediation instructions provided in the report to address the identified issues.
   • If you need assistance with remediation, contact the member of the security team that sent you the results.

10. Further Assistance:

    • For any issues or further assistance, please open a Help Desk ticket.

Resubmit Site for Additional Scanning

Once you have remediated any High- or Medium-level issues for your site, open a new Help Desk ticket requesting a new scan.

Frequently Asked Questions

Q1: Where can I learn more about web application security?

A: PortSwigger, the parent company of Burp Suite, offers free training. For more information, see Web Security Academy (opens in a new tab).