Web Application Security Testing

A service overview and catalog of Web Application Security Testing provided by the UC Berkeley IT Service Hub.

Description

This service is a partnership between the Information Security Office (ISO) and the School of Information (MICS). It provides UC Berkeley application owners with offensive (attackers’ point of view) application security testing conducted by graduate students under faculty supervision.

Service Delivery & Expectations

Cadence: Semester-based; typically two or three applications are tested per semester.
Selection: Rolling applications; based on risk profile and academic fit.
App Admin Commitment: 2–4 hours per semester for scoping, credentials, and environment setup.

Deliverables
Security Assessment Report: A report with detailed technical findings including severity ratings, proof of exploitation, and remediation recommendations for each discovered vulnerability.

Benefits & Features

Include benefits the offering enables.

Skillful Testing: Students use modern methodologies to find undiscovered web application flaws.
Zero Cost: A high-value alternative to expensive third-party penetration testing.
Compliance: Facilitates MSSEI requirement fulfillment for P4 data and Critical IT Resources.
Risk Reduction: Proactively identifies vulnerabilities before they can be exploited.

Getting Started

1. Determine if Your Web Application is Eligible to Participate:
Before submitting, verify that your application meets the Eligibility Requirements :

Qualified : Web applications developed and managed by UC Berkeley, affiliates, or One IT departments.
Ineligible : Static content-only sites (blogs and departmental websites), non-web-based software (thick clients), and third-party applications managed outside of UC Berkeley (SaaS apps).

2. Complete the Sign Up Form
To initiate a service request, the designated Application Admin must complete the MICS/ISO Web Application Security Testing - Sign Up Form.

Required information for Submission:

Contact Details : Contact info for both the Technical Lead and Functional Owner.
Web Application Info : Primary name, URL, functional description, user base, hosting provider, and network accessibility.
Security Context : Current Protection Level (P1–P4) and Availability Level (A1–A4).

See Web Application Security Testing Details (Authentication Required) for further information.

Service Details

Eligibility	This service is available to Faculty and Staff.
Contact	Request the Service: Complete the MICS/ISO Web Application Security Testing - Sign Up Form to open a ticket.
Availability	Available 24/7. Support is provided Monday–Friday, 8:00 AM – 5:00 PM PT, excluding University holidays and curtailment periods.
Cost	There are no direct costs associated with this service.
Data Classification	This service is rated for P4, A2, and R1 data. Compliance: Users are responsible for ensuring data handled within this service complies with the Data and IT Resource Classification Standards.