Question VULN-03
Are your systems and applications scanned with an authenticated user account for vulnerabilities (that are remediated) prior to new releases?
| Weight | 25 |
| High Risk | Yes |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Describe plans to implement application vulnerability scanning (and remediation) prior to release.
Answering "YES"
Provide a brief description.
Reason for Question
Modern technologies allow for rapid deployment of features, and with them come changes to an established code environment. The focus of this question is to verify a vendor's practice of regression testing their code and verifying that previously nonexistent risks are not introduced into a known, secured environment.
Follow-Up Inquiries
Ask if there are plans to implement these processes. Ask the vendor to summarize their decision behind not scanning their applications for vulnerabilities prior to release.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]