NIH External AppScan Procedure
AppScans can be provided by NIH IRT (Incident Response Team) free of charge to NCI contractor- or cloud-hosted NCI owned or funded websites. Scans typically take anywhere from one day to several days to complete, depending on the number of pages on a given site and any technical difficulties the tool may run into during the scan. If a scan is interrupted due to technical issues with the tool, the NIH IRT engineer may need to resolve the issue with the site owner/webmaster before resuming the scan. Sometimes this process takes multiple iterations to fully complete a scan. Once a scan has been completed, NIH IRT will send the scan report to the requestor within one business day of the scan's completion. To request an AppScan of your externally hosted NCI website or web application from the NIH IRT, please follow these steps:
- Email the nciirm [at] mail.nih.gov (NCI ISSO)
to obtain written approval to scan your website(s) Be sure to specify what sites and URLs you wish to have scanned in order to avoid any ambiguity. You should specify the highest level URL that contains all of the sub-pages that need to be scanned. For instance, specify if you wish to scan an entire site such as newsite.nci.nih.gov, or only a sub-site such as newsite.nci.nih.gov/systemX.
- Once you have received written approval from the NCI ISSO, send an email to: IRT [at] nih.gov
and include a completed copy of the AppScan request form to request the scan. Note that this form is available only inside the NIH firewall. If you do not have intranet access please email the NCI Security Team who can help you set up an external request by emailling ncicbiitsecurityteam [at] mail.nih.gov (email@example.com).
- Once IRT has both the NCI ISSO and your organization’s written approvals, they will schedule and provide a 24 hour notice of the scan to the designated point of contact from your organization. Your organization’s designated security official or project manager must give written authorization (in addition to the NCI ISSO’s permission obtained previously) for IRT to remotely scan your application before they proceed.
- In addition to an initial scan, NCI recommends setting up quarterly AppScans with IRT to ensure new vulnerabilities are identified as they emerge as part of an overall continuous monitoring strategy.
- We recommend creating designated credentials that will be used solely for scanning purposes and that will be shared only with NIH IRT. This account should not be an administrative account on the website or on any servers, but should be a user account with adequate privileges to navigate all pages on the website. The most effective AppScans are those that can navigate all pages on a site and that can move into restricted pages that are protected by access logons.
- While credentialed scans give the best results because they are able to explore all pages of your site/application, they can also be destructive if the form fill function is enabled. Therefore, we recommend either scanning a non-production system that is configured identically with your production system (such as staging or QA). We also recommend that you have an administrator monitor the scans to address any undesired changes or impacts to your website/application during and after scanning.
- You should promptly address all High/Critical findings as well as those Moderate risk findings that are valid. You ultimately are the arbiter of which findings are valid and which are false positives.