Web Application Vulnerability Scanning Services

generic network product image

Price: No Cost

Unit of Measure: Per Service

Pricing Type: Fixed

Billing Cycle: Usage-Based

Service Lead: Bill Freda Bill.Freda@vita.virginia.gov


This service provides 

your agency with a method to help identify web application vulnerabilities and secure your web applications while maintaining compliance with Commonwealth of Virginia information security standards. The service is able to identify over 600 web application vulnerabilities including the OWASP Top 10, configuration errors and many others. This service is intended to provide guidance for agencies with limited or advanced web application security expertise in house.

  • Provides cybersecurity expertise with a diverse knowledge base
  • Helps secure web applications and web services
  • Eliminates cost of purchasing, implementing, maintaining and mastering web application vulnerability assessment tools
  • Offers scanning and reporting for public-facing and internal web applications and services
  • Delivers a platform-independent assessment with specific results
  • Produces easy-to-read and interpret reports
  • Delivers automated and manual scanning with manual results verification
  • Provides remediation guidance and finding resolution validation

Web Application Vulnerability Scan and Reporting
The service includes an automated web application vulnerability scan, with manual crawl if required, a manual review of findings and a default report. The URL is then added to a scheduler for automated quarterly scanning and reporting. This enables your agency to identify vulnerabilities and focus remediation efforts, gauging the results and identifying new findings every 90 days from the reports. The commonwealth security and risk management (CSRM) web application vulnerability team will assist with interpreting scan results. Your agency is responsible for verifying and remediating the vulnerabilities that are identified. 
The service, including the initial and quarterly scans and reports, is provided to all executive branch agencies and non-exempt institutions of higher education at no direct charge.

Additional scans and reporting may be requested.


Executive branch agencies and non-exempt institutions of higher education may request scans of non-production applications for $250/scan. In addition, judicial and legislative branch agencies and localities may request scans for $250/scan.

Additional vulnerability remediation resources are available through the contract labor agreements (rate is $125/hour).

The CSRM web application and vulnerability testing team is continually monitoring the internet for new vulnerabilities. The team has significant cybersecurity experience and extensive training in securing web applications and IT infrastructure. This diverse knowledge base provides CSRM with the background needed to evaluate your agency's system for security vulnerabilities and to provide guidance on remediation. By addressing security vulnerabilities before an incident occurs, we can lessen the risk of compromise and costly post event remediation.

How to Order

Additional scans for non-production applications (executive branch agencies and non-exempt institutions of higher education) – standard work request form found in the Service Catalog Form Library

Judicial and legislative branch agencies and localities – standard work request form found in the Service Catalog Form Library

Consulting services – custom work request form RD1-002; note "consulting services" and other requirements in the field "General description of customer's business needs" – found in the Service Catalog Form Library

Please contact your customer account manager (CAM) or the service lead for additional information.

Need help?

Send VITA Onestop an email: vitaonestop@vita.virginia.gov to collaborate or handle your order.