Reminder: The method for ordering VITA services has changed. Please follow the revised instructions in the "How to Order" section, below.
Price: No Cost
Unit of Measure: Per Service
Pricing Type: Fixed
Billing Cycle: Usage-Based
Service Lead: Bill Freda Bill.Freda@vita.virginia.gov
This service provides
your agency with a method to help identify web application vulnerabilities and secure your web applications while maintaining compliance with Commonwealth of Virginia information security standards. The service is able to identify over 600 web application vulnerabilities including the OWASP Top 10, configuration errors and many others. This service is intended to provide guidance for agencies with limited or advanced web application security expertise in house.
Web Application Vulnerability Scan and Reporting
The service includes an automated web application vulnerability scan, with manual crawl if required, a manual review of findings and a default report. The URL is then added to a scheduler for automated quarterly scanning and reporting. This enables your agency to identify vulnerabilities and focus remediation efforts, gauging the results and identifying new findings every 90 days from the reports. The commonwealth security and risk management (CSRM) web application vulnerability team will assist with interpreting scan results. Your agency is responsible for verifying and remediating the vulnerabilities that are identified.
The service, including the initial and quarterly scans and reports, is provided to all executive branch agencies and non-exempt institutions of higher education at no direct charge.
Additional scans and reporting may be requested.
Executive branch agencies and non-exempt institutions of higher education may request scans of non-production applications for $250/scan. In addition, judicial and legislative branch agencies and localities may request scans for $250/scan.
Additional vulnerability remediation resources are available through the contract labor agreements (rate is $125/hour).
The CSRM web application and vulnerability testing team is continually monitoring the internet for new vulnerabilities. The team has significant cybersecurity experience and extensive training in securing web applications and IT infrastructure. This diverse knowledge base provides CSRM with the background needed to evaluate your agency's system for security vulnerabilities and to provide guidance on remediation. By addressing security vulnerabilities before an incident occurs, we can lessen the risk of compromise and costly post event remediation.
Effective 12/15/18, this service can be ordered from the VITA Service Catalog in the new VITA Service Portal. To submit your request:
If you are uncertain as to whether you have a COV account, start by trying to access the VITA Service Portal. If you are unable to do so, then use the email-to-the-VCCC method.
If you need additional assistance, you may check with your agency information technology resource (AITR) or call the VCCC at 866-637-8482.
You will be contacted to confirm that your request has been received and to obtain any additional required information.