Vulnerability management for end users
Flexera personal software inspector (PSI)
Modern operating system software, and some of the more common application software, provide automatic updates, however there are many applications that do not. You very likely have dated software on your computer that has known security vulnerabilities. To aid in improving the security posture of Windows computers, the Flexera PSI software analyses the software installed on your computer, then correlates the information with the Flexera database to determine what software is vulnerable and provide you with information on updating/patching your software. All members of the University of Waterloo community are encouraged to download and install (.exe) PSI on their personal Windows computers. A score greater than 95% means your computer is well patched against known vulnerabilities.
Note: When installing the software, you have the option of enabling the automatic update feature. Be advised that while the automated updates via PSI work most of the time, some software on certain systems may need to be updated using the vendor-supported method.
Qualys BrowserCheck will perform a security analysis of your browser and its plugins to identify any security issues.
Vulnerability management for IT staff
Flexera corporate software inspector (CSI)
The University of Waterloo has a subscription to Flexera CSI, which provides the same basic functionality as PSI but is targeted at the Enterprise where PCs are managed. Here are some differences:
- Reporting is to a central console.
- Scanning is done by System Centre Configuration Manager (SCCM) or by a Windows service that runs on the workstation (silent to the end user).
- Updates can be distributed via SCCM.
The University of Waterloo has a subscription for the QualysGuard vulnerability management software hosted by Telus. QualysGuard provides for scans from off-campus, as well as on-campus (using provided scanning appliances) to help the university assess the security posture of hosts on the campus network. QualysGuard supports distributed management, so IT staff can schedule scans and generate reports for hosts that they are responsible for.
Web application vulnerability scanning
If you are developing a web-based application for the University of Waterloo, then it will need to be reviewed for security. The Information Systems & Technology (IST) Information Security Services (ISS) group can assess your application for security and compliance issues. ISS will assess the type of information being processed, the architecture of the application, and with the help of vulnerability scanning software, look for common web application vulnerabilities such as injection and cross-site scripting.
University of Waterloo IT staff that wish to take advantage of the above services should contact the IST Security Operations Centre.