When your task is to set up and request a Security Scan for any of the Non-WordPress sites.

Scans happen every month except November


Web Dev Schedule  https://docs.google.com/spreadsheets/d/1Ol1rg1LZ6FjlFvz8ViCSg83pBb-5sShzuyxmc_Hg_oU/edit#gid=0

Vulnerability scan schedule  https://docs.google.com/spreadsheets/d/1ABb68I7LHtG2fIh2CiMAMC_L45QUVfqP0bJfqkqW0NM/edit#gid=0
Security Scans archive: https://cornell.box.com/s/jeekdk83wpvrwe9daeu3aniyvlg9v70s

  1. Check the “Vulnerability scan schedule” to see what’s on the list for the current month

  2. Copy all the links listed for that month



NEW—The email port is changed from 25 to 999 within the ColdFusion admin for each instance on Media3 servers, both test and dev.

To set them back to 25 when ready, you can log into each instance and under the server settings there is a mail option. Once you click on that, you will see the mail port listed as 999. You can update this to 25 and click submit changes. You will need to do this to the other 2 CF instances as well. You may have to check your code too. If you specify server and port in your cfmail code, that will override the settings you are doing. Please let us know if you have any questions.

  1. In the code, comment out any automatic emails so they won’t get sent.

  2. Check the .htaccess file to make sure that the itsoscan security office can access the sites.
    Remove the #(hashtag) in the “require shib-attr uid itsoscan” line to allow them to scan with Duo disabled.



  3. To scan the Intranet you will need to remove the comment out commands, circled in yellow below, from the command on line 24 circled in red below.
  5. TURN OFF DEBUGGING on the test servers to be scanned.

  6. Send an email to security-services@cornell.edu requesting a scan.

    Please run a security scan on our test sites https://testspi.aad.cornell.edu/ and https://testconnect.aad.cornell.edu/ at your earliest convenience. We have prepared for it by confirming that “itsoscan” has permission, turning off notifications and disabling the automated emails.

  7. Check the reports that come back for any issues more than low-level risk

  8. When any issues are dealt with save the zipped scan reports in Cornell Box,  aad-wsux, Security Scans folder. This folder should be locked down to aad-wsux team and Lisa Stensland (aad IT security contact).