Frequently Asked Questions - Application Security Testing Program (ASTP)

No. Information Security and Policy does not "certify" applications. A Pass or Fail grade is intended to indicate whether or not an application meets the campus minimum security requirements for application security at the time at which it was assesssed. 

An application security assessment is intended to find the most critical and high risk vulnerabilities; however, the assessment process is often accelerated due to time and resource constraints meaning all vulnerabilities may not be discovered in a single assessment.

Remediation due dates are generated based on the risk and the breadth of the vulnerability. Due dates can be negotiated with the Information Security Office at the time of disclosure. For example, some due dates may be changed for reasons like:

• Reliance upon a vendor to implement a fix for a discovered vulnerability
• Development time
• Retirement of a vulnerable portion of an application

Ultimately, it is the responsibility of the application owner to make or coordinate best efforts to remediate and/or adequately mitigate the risks in a timely fashion.

No. ASTP assessments only measure compliance with campus minimum application security requirements. Though, it should be noted that achieving compliance with campus standards will lay a lot of ground work for meeting PCI, HIPAA, CPHS, or other external standards. The campus Minimum Security Standards for Electronic Information (MSSEI) is based off the SANS Top 20 Critical Controls, so there is some overlap with external standards.

Currently, applications handling UC P4 data should plan for an application security assessment once every two years. However, scheduling will depend on available resources and other factors such as how drastically an application has changed since the prior assessment.