When your task is to set up and request a Security Scan for any of the Non-WordPress sites.
Scans happen every month except November
Web Dev Schedule https://docs.google.com/spreadsheets/d/1Ol1rg1LZ6FjlFvz8ViCSg83pBb-5sShzuyxmc_Hg_oU/edit#gid=0
Vulnerability scan schedule https://docs.google.com/spreadsheets/d/1ABb68I7LHtG2fIh2CiMAMC_L45QUVfqP0bJfqkqW0NM/edit#gid=0
Security Scans archive: https://cornell.box.com/s/jeekdk83wpvrwe9daeu3aniyvlg9v70s
- Check the “Vulnerability scan schedule” to see what’s on the list for the current month
Copy all the links listed for that month
- In the code, comment out any automatic emails so they won’t get sent.
Check the .htaccess file to make sure that the itsoscan security office can access the sites.
Remove the #(hashtag) in the “require shib-attr uid itsoscan” line to allow them to scan with Duo disabled.- To scan the Intranet you will need to remove the comment out commands, circled in yellow below, from the command on line 24 circled in red below.
Send an email to security-services@cornell.edu requesting a scan.
Please run a security scan on our test sites https://testspi.aad.cornell.edu/ and https://testconnect.aad.cornell.edu/ at your earliest convenience. We have prepared for it by turning off notifications and disabling the automated emails.- Check the reports that come back for any issues more than low-level risk
- When any issues are dealt with save the zipped scan reports in Cornell Box, aad-wsux, Security Scans folder. This folder should be locked down to aad-wsux team and Lisa Stensland (aad IT security contact).