Service overview

Service for:
  • Faculty & librarians
  • Staff

The web application scanning service helps identify security vulnerabilities in internally managed web applications using the Tenable platform.

Vulnerability scanning is required for all organizational systems by the university’s Information Security Control Standard (control RA-2), which states that scanning must occur “periodically and when new vulnerabilities affecting those systems and applications are identified”.

Types of scans

The service offers two different modes of scanning:

  • Authenticated mode: Runs with user credentials to provide a deeper look at the application’s security posture.
  • Unauthenticated mode: A surface-level scan that identifies only externally visible issues.

Both modes can be requested as a quick scan, which provides a high-level check in a short time, or as a comprehensive scan, which takes longer and offers a deeper analysis of vulnerabilities.

Who is this service for?

This service is available to faculty and staff who manage web applications. Examples include WordPress websites, Pepper applications and commercial applications such as REDCap. It is not intended for student use or for third-party hosted services.

Who can request this service?

Only service owners (or designated staff) with authority to approve scans and apply mitigations may request scans. Approval from the service owner is required.

When to request a scan

  • Before go-live of a new web application
  • After significant changes to an existing application

Note: Production scans are strongly discouraged unless there is no alternative, as they may cause disruption.

What the service provides

  • A report of vulnerability scan results for your web application
  • By request, an additional summary of scan findings and recommendations (subject to staff availability)

What the service does not provide

  • Remediation. The Risk Management team can provide limited advisory support if specifically requested, but requestors are responsible for reviewing and acting on scan results.
  • Continuous scanning. (Scans operate on request only.)
  • This is not a penetration testing service.

Cost

There is no cost to the requestor for standard web application scanning requests. However, licensing limitations may impact scan availability.

Last modified: January 30, 2026