NIH uses a managed web application vulnerability scanning tool to verify that commonly exploitable web vulnerabilities are identified so they can be fixed. Currently that tool is called Invicti (formerly called NetSparker) and previously NIH had used AppScan. These scans can be provided by NIH Threat Management and Incident Response (TMIR) free of charge to NCI contractor- or cloud-hosted NCI owned or funded websites. Scans typically take anywhere from one day to several days to complete, depending on the number of pages on a given site and any technical difficulties the tool may run into during the scan. If a scan is interrupted due to technical issues with the tool, the NIH TMIR engineer may need to resolve the issue with the site owner/webmaster before resuming the scan. Sometimes this process takes multiple iterations to fully complete a scan. Once a scan has been completed, NIH TMIR will send the scan report to the requestor within one business day of the scan's completion. To request a scan of your externally hosted NCI website or web application from the NIH TMIR, please follow these steps:
- Email the NCI ISSO (link sends email) to obtain written approval to scan your website(s) Be sure to specify what sites and URLs you wish to have scanned in order to avoid any ambiguity. You should specify the highest level URL that contains all of the sub-pages that need to be scanned. For instance, specify if you wish to scan an entire site such as newsite.nci.nih.gov, or only a sub-site such as newsite.nci.nih.gov/systemX.
- Once you have received written approval from the NCI ISSO, send an email to: IRT@nih.gov (link sends email) and include a completed copy of the Invicti/Netsparker request form to request the scan. Note: This request form is available only inside the NIH firewall. If you do not have intranet access please email the NCI Security Team for help setting up an external request by emailing NCI ISSO (link sends email).
- Once TMIR has both the NCI ISSO and your organization’s written approvals, they will schedule and provide a 24 hour notice of the scan to the designated point of contact from your organization. Your organization’s designated security official or project manager must give written authorization (in addition to the NCI ISSO’s permission obtained previously) for IRT to remotely scan your application before they proceed.
- In addition to an initial scan, NCI recommends setting up quarterly recurring scans with TMIR to ensure new vulnerabilities are identified as they emerge as part of an overall continuous monitoring strategy.
- We recommend creating designated credentials that will be used solely for scanning purposes and that will be shared only with NIH TMIR. This account should not be an administrative account on the website or on any servers, but should be a user account with adequate privileges to navigate all pages on the website. The most effective scans are those that can navigate all pages on a site and that can move into restricted pages that are protected by access logons.
- While credentialed scans give the best results because they are able to explore all pages of your site/application, they can also be destructive if the form fill function is enabled. Therefore, we recommend either scanning a non-production system that is configured identically with your production system (such as staging or QA). We also recommend that you have an administrator monitor the scans to address any undesired changes or impacts to your website/application during and after scanning.
- You should promptly address all validated findings according to the NIH vulnerability remediation timeline standard. You ultimately are the arbiter of which findings are valid and which are false positives.