Web Application Risk Assessment

The objective of a Web Application Risk Assessment is to identify potential risks to WashU websites, web applications, or the hosting infrastructure. Risks result from design or functionality issues that expose sensitive information or systems by malicious activities. During the Assessment, malicious activities are simulated by probing and exploiting system weaknesses to identify potential risks. This may cause damage to vulnerable or improperly configured applications or systems. Any vulnerable or improperly configured application or system that can be damaged by malicious activities would be considered a significant risk by the Office of Information Security (OIS), and therefore is a necessary part of the Web Application Risk Assessment process. The OIS will not be liable for any resulting damage to vulnerable or improperly configured applications or systems. Please fully backup your systems and data before the assessment. 

For a full preview of what to expect, please review our guidance for this process.

Guidance

1. To submit a Web Assessment Questionnaire, first click on “Web Assessment Questionnaire” on the OIS Forms page.

2. Enter your WUSTL email address in the OneTrust login page. If you aren’t already logged in with DUO, you will be prompted to complete our WashU 2FA process.

3. From the Self Service Assessment main page, click “Launch” under Web Assessment Questionnaire.

4. Enter the name of your assessment using the format “QA-Application Name.”

5. Click the “forward” arrow to continue.

6. Complete the Contact Information Questionnaire, questions 1.1-1.13. Questions with asterisks are required.

1.1 Application/Web Name

1.2: Date

1.3: Requestor Name *

1.4: Requestor Title

1.5 Requestor Contact Number *

1.6 Requestor Email *

1.7 Technical Contact Name

1.8 Technical Title

1.9 Technical Contact Number *

1.10 Technical Contact Email *

1.11 Additional Contact Name

1.12 Additional Contact Number

1.13 Additional Contact Email

7. After you’ve entered this information, click “Save and Exit” to come back later, or click the right arrow at the bottom of the page to continue.

8. Next, click on “Assessment Questions” to continue to the form. The questions are listed below. Questions with an asterisk are required.

2.1 What is the function of the website being assessed (text box). *

2.2 What is the classification of the data hosted on the site? *

2.3 Is this a public-facing website (yes or no)? *

2.4 (If you answered “no” to question 2.3) If not, what WUSTL/BJC networks can the site be accessed from (text box)?

2.5 Is the site being managed with a Content Management System such as WordPress (yes no)? *

2.6 (If you answered “yes” to question” 2.5) If so, what is the CMS being used (text box)?

2.7 (If you answered “yes” to question” 2.5) What is the version or release number of the CMS being used (text box)?

2.8 Is there a preferred time frame we should run scans as to not hinder any active development or projects the site is used for (yes or no)? *

2.9 (If you answered “yes” to question 2.8) Desired date for scan. Choose a date from the menu.

2.10 (If you answered “yes” to question 2.8) Desired time for scan (text box).

2.11 Are login credentials required to access your site? *

2.12 (If you answered “no” to question 2.11) Explain why login credentials are not required (text box),

2.13 (If you answered “yes” to question 2.11) If so, does the site support WUSTL Key or other single sign-on (yes or no)?

2.14 (If you answered “yes” to question 2.11) How do we request test credentials to access your site (text box)?

2.15 Is there a follow-up assessment? *

2.16 (If you answered “yes” to question 2.15) Reason for follow up?

2.17 Select the current state of your site from the drop down list. *

9. Next, click on the “Technical Content” section. The questions in this section are listed below. Required questions are indicated with an asterisk.

3.1 Website IP address? *

3.2 Website URL? *

3.3 Hosting web server Application (e.g., IIS, Apache, Nginx)? *

3.4 What is the version or release number of the hosting webserver application? *

3.5 What web technologies were used to develop the site? (e.g., .NET, HTML5, Java, Javascript, PHP, etc.)? *

3.6 What is the version or release number of the above listed web technologies being used? *

3.7 Is the site making use of a backend database? *

3.8 (If you answered “yes” to question 3.7) What database system is being used (e.g., MS-SQL, PostgreSQL, MySQL)?

3.9 (If you answered “yes” to question 3.7) What is the version or release number of the backend database being used?

3.10 (If you answered “no” to question 3.7) Is the site being hosted behind an application firewall such as an F5? *

3.11 Attach any supporting documentation or diagrams. Please include any supporting technical documentation and/or diagrams which may help in the assessment.

10. Once you have completed all the required questions, the “Submit” button in the bottom right corner will become available. Click it to submit your questionnaire.