The University of Texas at San Antonio

Office of Information Technology

Office of Information Security (OIS) Standards


OIS 37 – Standard for Web Application Vulnerability Scanning



Good application security consists of knowledge of threats and regular feedback on the state of protection within an application.



This standard supports HOP Policy 8-12 Information Resources Use and Security Policy.



This standard applies to all UTSA faculty, staff, and students.



If you have any questions about OIS 37 – Standard for Web Application Vulnerability Scanning contact the following office:


The Office of Information Security



  1. Business units and system administrators must be aware of the vulnerabilities that can exist within the applications so that appropriate actions can be taken to mitigate these risks. Vulnerability scanning is a procedure designed to identify security weakness in the application and to assist in mitigation of those weaknesses.
  2. All Web applications attached to the UTSA network are subject to security vulnerability scans. Proactive scanning allows for timely discovery of known risks and promotes actions to prevent compromise, breach and destructive activity within application and/or the network. Reactive security scanning provides a means of assessment and damage control.
  3. Scans are required:
a. Prior to the promotion to production of a Web application associated with a formal project.
b. After a compromise of a UTSA Web application accessible through the Internet.
c. Annually for all mission-critical operations.
d. Other Web applications will be scanned at the request of the application owner when potential or existing risks are identified within the environment.


Effective Date: April 22, 2012

Last Revised: August 25, 2014

Reviewed: July 20, 2017