Web Application Vulnerability Scanning

NOTE: As of December 31st, 2016, the IBM AppScan Web Application Vulnerability Scanning service has been discontinued.

IBM AppScan licenses were not renewed; however, several viable alternatives exist for campus users wishing to scan their web apps for vulnerabilities:

  1. Utilize the free Departmental Network Vulnerability Scanning service with web application checks enabled. These checks can be enabled by creating your own custom scanning policy after signing into your departmental Nessus account. See the following whitepaper for more information:


    Please note that if your web application is hosted at an off-site provider, scanning is prohibited without prior express written consent from the provider.

  2. Utilize Open Source web application vulnerability scanning tools such as w3af and more. A comprehensive list of tools is available at:


  3. Purchase a commericial web application vulnerability via your department resourcing. A comparison of commercial tools is available at:


  4. If you develop or manage a campus web application that handles Protection Level 2 data, you can engage Information Security & Policy to be assessed by our Application Security Testing Program (ASTP).

  5. Lastly, if you have any questions about securing your campus web application, please email us at security@berkeley.edu and the Assessments and Compliance team can assist you.